User Tools

Site Tools


os:fedora:eole

Purpose

After installing OpenBSD fully encrypted with keys on USB stick, let's try with Linux and Fedora 32 (that we will push to rawhide for bleeding edge experience). As reading a non-clear text key seems largely impossible on Linux… I opted for “Honeypot OS” solution: Windows 10 on 256GB drive and Linux / on second drive with /boot on USB drive. This way without the USB key, Only Windows boots :D

Hardware

Lenovo Thinkpad X230 Table with an m-SATA drive in the phone card slot and 500GB hard drive replaced by a 1TB SSD, 16GB RAM, Corei5 CPU.

Disk partitioning

SSD (1TB) = sda
m-SATA (256GB) = sdb
sdd = 16GB Usb Drive

disk partition type size mount point install pass
sdb sdb* Microsoft Crap 256GB
sdb sdb2 EFI Partition 100MB /boot/efi
sdd sdd1 ext2 10GB /boot
sda /dev/mapper/Fedora LUKS encrypted 1TB test
sda sda1 swap 16GB -
sdb /dev/mapper/Fedora-fedora–root ext4 915GB /

Install

Using Fedora Media Writer I created a live USB with Fedora 32
Boot is set to “UEFI” with Microsoft “Secure boot” (LOL yes Secure and Microsoft in the same sentence) pure GPT crap on all devices
I first installed Windows 10 on first hard drive (m-sata 256GB)
Install goes by and when at the step of partitionning disk I choose Custom, select all devices then mount the EFI partition of the m-sata drive as /boot/efi then create /boot(ext2) on the USB key an LVM(named Fedora, encrypted) and inside create swap and / (ext4)

I put an easy passphrase as we'll change it later and put the key on a USB drive to decrypt easily. initial pass are in the table above :-)

After reboot it will ask for swap then LVM key

Next step put the encrypted key on the USB key to avoid typing

Rawhide

Switch to rawhide ! Rock'n roll :-)

https://fedoraproject.org/wiki/Upgrading_Fedora_using_package_manager#To_Rawhide

dnf upgrade
dnf install -y dnf-plugins-core fedora-repos-rawhide
dnf config-manager --set-disabled fedora updates updates-testing
dnf config-manager --set-enabled rawhide
dnf clean -q dbcache packages metadata
dnf --releasever=rawhide --setopt=deltarpm=false distro-sync --nogpg
touch /.autorelabel
 
 
====== Missing programs/repo ======
<code bash> dnf install -y htop ccze vim zsh dfc git

epel

Fingerprints

dnf install -y fprint libfprint fprint-pam

LUKS key on usb drive

:!: WORK IN PROGRESS :!:
Reference: https://forums.centos.org/viewtopic.php?t=53452

key in /boot/trololo.key (usb drive formatted in ext2)

LUKS'key

add this key to the luks partition

 cryptsetup luksAddKey /dev/disk/by-uuid/<lvm luks> /boot/trololo.key

Dracut

create a dracut config file to help mounting the key at early stage

 vi /etc/dracut.conf.d/usb-decrypt.conf

content:

omit_dracutmodules+="systemd"
filesystems+="ext2"

Note: my USB drive is formatted in ext2

Re-generate initramfs

 dracut -fv

GRUB

get UUID of devices to get the UUID of your USB drive

 ls -l /dev/disk/by-uuid

Add in grub.cfg

 vi /boot/efi/EFI/fedora/grub.cfg

add

rd.luks.key=/trololo.key:UUID=<UUID of USBdrive>

Note: the key path is relative to the device

Reboot to test

LUKS Keys

Generate

 dd if=/dev/urandom of=/boot/trololo.key bs=1 count=1024

Failover key

cryptsetup luksAddKey /dev/sda1

cleaning keys

Check keys:

  • list
cryptsetup luksDump /dev/sda1
  • check one specific
cryptsetup luksOpen --test-passphrase --key-slot 0 /dev/sda2 && echo correct
  • delete osolete
cryptsetup -v luksKillSlot /dev/sda1 0
cryptsetup -v luksKillSlot /dev/sda1 1
os/fedora/eole.txt · Last modified: 2021/12/29 21:03 by warnaud