How to install fully encrypted CRUX

This post is for crux users who wanna secure their crux installation.

Partitioning

I'm gonna use two partitions. First boot partition will be unencrypted which holds kernel. I use secure boot with my own keys. You can find a post in my blog how to do that. and I have some ports at https://abdullah.today/ports for secure boot.

Boot unencrypted Partition

Create a partition more than 200 Mbs for boot ESP with gdisk code ef00.

Let's create a FAT filesystem on it for EFI.

# mkfs.fat -F32 /dev/sda1

Encrypted Partition

Create an encrypted LUKS container

# cryptsetup luksFormat /dev/sda2
    

Type uppercase "YES" and then enter passphrase two times.

Open the encrypted container.

# cryptsetup open /dev/sda2 crux 
    

Now the encrypted container is available at /dev/mapper/crux so lets create some lvm stuff and create filesystems and a swap partition.

# pvcreate /dev/mapper/crux
# vgcreate ak /dev/mapper/crux
# lvcreate -L 8G ak -n swap
# lvcreate -L 50G ak -n root
# lvcreate -l 100%FREE ak -n home
# mkfs.ext4 /dev/ak/root -L crux-root
# mkfs.ext4 /dev/ak/home -L crux-home
# mkswap /dev/ak/swap -L crux-swap

Mount the partitions and start installations.

# mount /dev/mapper/ak-root /mnt
# mkdir /mnt/{boot,home}
# mount /dev/mapper/ak-home /mnt/home
# mount /dev/sda1 /mnt/boot
# swapon /dev/mapper/ak-swap

Base system installation

Start installation. Type "setup" and select "YES". Install all packages. Make sure you get no error messages once installation is finished.

# setup

Chroot

Enter chroot.

# setup-chroot

fstab

Check fstab by going to /etc/fstab. Open it with vim. You'll see two uncommented entries there. Leave them as it is. In vim prompt mode just type :r! blkid and you'll get UUIDs of all partitions. Add them there for root, home, boot and swap partitions.

locales

Generate locales.

 # localedef -i en_US -f ISO-8859-1 en_US
 # localedef -i en_US -f ISO-8859-1 en_US.ISO-8859-1
 # localedef -i en_US -f UTF-8 en_US.UTF-8 

rc.conf

Edit rc.conf. Mine looks like this.

# vim /etc/rc.conf

#
# /etc/rc.conf: system configuration
#

FONT=ter-v22n
KEYMAP=us
TIMEZONE=Asia/Karachi
HOSTNAME=cruz
SYSLOG=sysklogd
SERVICES=(crond wifi acpid )

# End of file

resolv.conf

Edit /etc/resolv.conf. I'm using OpenDNS nameserver here.

# vim /etc/resolv.conf

nameserver 208.67.222.222

wifi

For wireless connection, you can use wpa_supplicant. For example if your interface is wlp3s0 and SSID is nix, add passphrase to it using wpa_passphrase like this.

# wpa_passphrase nix >> /etc/wpa_supplicant.conf
Reading from STDIN  # Type your passphrase.

# wpa_supplicant -i wlp3s0 -B -c /etc/wpa_supplicant.conf
# dhcpcd wlp3s0

Kernel

Compile the kernel now. Go to the /usr/src/linux directory. Configure the kernel config. Since we are gonna have an encrypted installation, we need some extra drivers. Invoke 'make menuconfig' and enable these options. And also enable what is needed for your hardware. I'll add only options needed for encryption here.



General setup --->

  [*] Initial RAM filesystem and RAM disk (iniramfs/initrd) support


Device Drivers --->

  Multiple devices driver support (RAID and LVM) --->
    [*] Device mapper support
    [*] Crypt target support

Cryptographic API ---> 
  
  -*- CBC support
  <*> SHA224 and SHA256 digest algorithm
  <*> AES cipher algorithms

You can get my kernel config from https://gitlab.com/Abdullah/cfg/raw/master/kernel/config by using wget and then edit it as per your hardware. This one is for Thinkpad with SSD.

# wget https://gitlab.com/Abdullah/cfg/raw/master/kernel/config > .config 

After you're done with configuring kernel, compile it. Once it's compiled, copy it to /boot directory and install modules.

# make -j8
# make modules_install
# cp arch/x86/boot/bzImage /boot/vmlinuz
# cp System.map /boot

Users and package management

Root password and a normal user

Set root password. Create our first user. And then we will create a second user for package management.

# passwd
# useradd -G wheel,audio,video -m -U abdullah
# passwd abdullah

Give new user sudo access

Add new created user to sudoers. Uncomment this line in /etc/sudoers.


%wheel ALL=(ALL) ALL

User for creating packages

Now let's create a user for package management.

# groupadd pkgmk
# useradd -m -g pkgmk pkgmk

Add our user to this newly created group.

# usermod -aG pkgmk abdullah

fakeroot

Edit /etc/prt-get.conf to set up fakeroot building.

# makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk

Edit /etc/pkgmk.conf.

 # vim /etc/pkgmk.conf

PKGMK_SOURCE_DIR="/home/pkgmk/distfiles"
PKGMK_PACKAGE_DIR="/home/pkgmk/packages"
PKGMK_WORK_DIR="/home/pkgmk/work/$name"

Create those directories.

# mkdir /home/pkgmk/{distfiles,packages,work}
# chown pkgmk:pkgmk /home/pkgmk/*
# chmod 775 /home/pkgmk/*

Enable contrib repository.

# mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync

Add my custom ports repository.

# echo "ROOT_DIR=/usr/ports/ak\nURL=https://abdullah.today/ports" > /etc/ports/ak.httpup

Enable contrib and my repository by editing /etc/prt-get.conf. Uncomment the line which says "prtdir /usr/ports/contrib" and add this line on top of the other port directories path. "prtdir /usr/ports/ak". Also don't forget to uncomment the line which says, "runscripts yes". After editing the file, it should be look like this.

 

###
### prt-get conf
###

# note: the order matters: the package found first is used
prtdir /usr/ports/ak
prtdir /usr/ports/core
prtdir /usr/ports/opt
prtdir /usr/ports/xorg

# the following line enables the multilib compat-32 collection
#prtdir /usr/ports/compat-32

# the following line enables the user maintained contrib collection
prtdir /usr/ports/contrib

### use mypackage form local directory
# prtdir /home/packages/build:mypackage

### log options:
# writelog enabled         # (enabled|disabled)
# logmode  overwrite       # (append|overwrite)
# rmlog_on_success yes     # (no|yes)
logfile  /var/log/pkgbuild/%n.log
                           # path, %p=path to port dir, %n=port name
                           #       %v=version, %r=release

### use alternate cache file (default: /var/lib/pkg/prt-get.cache
# cachefile /mnt/nfs/cache

### print README information:
# readme verbose           # (verbose|compact|disabled)

### prefer higher versions in sysup / diff
# preferhigher no      # (yes|no)

### use regexp search
# useregex no        # (yes|no)

### run pre- and post-installs scripts; yes is equivalent to the
### --install-scripts option
runscripts yes            # (no|yes)


### EXPERT SECTION ###

### alternative commands
# makecommand      pkgmk
# addcommand       pkgadd
# removecommand    pkgrm
# runscriptcommand sh
makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk

Sync ports now.

# ports -u

Get fakeroot installed if you don't have yet.

# prt-get install fakeroot

Dracut

Get dracut and create an initramfs.

# prt-get depinst dracut
# dracut initramfs.img

Bootloader

I'm using EFISTUB. If you're using some other boot manager like grub, consult their wiki. There are some dracut related variables in this example. I'd recommand, create a new file with vim, and then in prompt mode, type :r! blkid so you'll get all UUIDs there in the file. Just copy them in the new file, delete other lines and save it. Then redirect this file's output to shell like this, 'cat newCreatedFile | sh'. It will create a new entry. root-UUID=, rd.luks.uuid=, and rd.lvm.vg=. For EFISTUB, create an entry like this.

# efibootmgr --create --disk /dev/sda --part 1 --label 'CRUX-Encrypted' --loader /vmlinuz --unicode "root=UUID=XXXX-XXXX-XXXX-XXX rw resume=UUID=XXXX-XXXX-XXXX-XXXX rd.luks.uuid=XXXX-XXXX-XXXX-XXXX rd.lvm.vg=ak" --verbose

Congrats!

Congrats! You have now a fully encrypted system. Reboot now. If you have some problems, just send me an email and I'll be glad to help.