trinity/src
1
0
Fork 0
Code

move non platform specific LUKS stuff to cryptography.html

Browse Source
This commit is contained in:
dtb 2021-11-09 07:58:21 -05:00
parent ec98c77aae
commit 7e323d6772
2 changed files with 31 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
homepage/knowledge/cryptography.html
View File

@ -16,11 +16,37 @@
<SCRIPT SRC="/js/sheets.js" TYPE="application/javascript"></SCRIPT> <SCRIPT SRC="/js/sheets.js" TYPE="application/javascript"></SCRIPT>
<SCRIPT TYPE="application/javascript">window.onload = window.initializesheets;</SCRIPT> <SCRIPT TYPE="application/javascript">window.onload = window.initializesheets;</SCRIPT>
<H1>cryptography</H1> <H1>cryptography</H1>
<H3>updated 2021-10-14</H3> <H3>updated 2021-11-09</H3>
<HR ALIGN="left" SIZE="1" WIDTH="25%" /> <HR ALIGN="left" SIZE="1" WIDTH="25%" />
<P><B> <P><B>
This information is not authoritative, nor from a place of deep knowledge. This information is not authoritative, nor from a place of deep knowledge.
</B></P> </B></P>
<H2 ID="luks_partitioning">LUKS partitioning</H2>
<H3>Sources</H3>
<UL>
<LI><A HREF="https://www.cyberciti.biz/security/how-to-backup-and-restore-luks-header-on-linux/">How to backup and restore LUKS header on Linux</A></LI>
<LI><A HREF="https://devconnected.com/how-to-encrypt-partition-on-linux/">How To Encrypt Partition on Linux</A></LI>
<LI><A HREF="https://unixfuntime.wordpress.com/2012/08/20/luks-passphrases-changing-adding-removing/">LUKS passphrases: Changing, adding, removing</A></LI>
</UL>
<P>
To format a partition for LUKS, use <CODE>lsblk</CODE> to determine the physical block device location for that partition and run <CODE>cryptsetup luksFormat [<I>partition</I>]</CODE>.
The passphrase used can be changed or removed after creation.
</P>
<P>
To open a LUKS partition, use <CODE>cryptsetup luksOpen [<I>partition</I>] [<I>name</I>]</CODE>.
This <I>name</I> is the name the <I>decrypted block device</I> location will take in <CODE>/dev/mapper/</CODE>.
Before the decrypted block device has a filesystem it'll just be cleared space - use <CODE>mkfs.[<I>filesystem</I>] /dev/mapper/[<I>name</I>]</CODE>.
</P>
<P>
To mount an opened LUKS partition, use <CODE>mount(8)</CODE> as normal, just with the decrypted block device location.
</P>
<P>
To close an open LUKS partition, <CODE>umount(8)</CODE> it if it's open and <CODE>cryptsetup luksClose [<I>name</I>]</CODE>.
</P>
<P>
To make the LUKS partition openable via keyfile, first make a keyfile (<CODE>dd if=/dev/urandom of=/root/keyfile bs=1024 count=4</CODE> seems to work), and optionally make it readable by root only (<CODE>chmod 0400 [<I>keyfile</I>]</CODE>).
Then add the keyfile to the partition's LUKS header with <CODE>cryptsetup luksAddKey [<I>physical partition block device</I>] [<I>keyfile</I>]</CODE>.
</P>
<H2>SSH keys</H2> <H2>SSH keys</H2>
<H3>Sources</H3> <H3>Sources</H3>
<UL> <UL>

33
homepage/knowledge/postmarketos.html
View File

@ -22,47 +22,22 @@
postmarketOS is based on Alpine Linux and this site's <A HREF="/knowledge/alpine">knowledge article for Alpine</A> applies to postmarketOS as well. postmarketOS is based on Alpine Linux and this site's <A HREF="/knowledge/alpine">knowledge article for Alpine</A> applies to postmarketOS as well.
</P> </P>
<H2>Encrypted SD card with LUKS</H2> <H2>Encrypted SD card with LUKS</H2>
<H3>Other resources</H3> <H3>Sources</H3>
<UL> <UL>
<LI><A HREF="https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile/">Automatically Unlock LUKS Encrypted Drives With A Keyfile</A></LI> <LI><A HREF="https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile/">Automatically Unlock LUKS Encrypted Drives With A Keyfile</A></LI>
<LI><A HREF="https://wiki.gentoo.org/wiki/Dm-crypt">Dm-crypt</A> (Gentoo Wiki)</LI> <LI><A HREF="https://wiki.gentoo.org/wiki/Dm-crypt">Dm-crypt</A> (Gentoo Wiki)</LI>
<LI><A HREF="https://www.cyberciti.biz/security/how-to-backup-and-restore-luks-header-on-linux/">How to backup and restore LUKS header on Linux</A></LI>
<LI><A HREF="https://wiki.alpinelinux.org/wiki/LVM_on_LUKS">LVM on LUKS</A> (Alpine Wiki)</LI> <LI><A HREF="https://wiki.alpinelinux.org/wiki/LVM_on_LUKS">LVM on LUKS</A> (Alpine Wiki)</LI>
<LI><A HREF="https://devconnected.com/how-to-encrypt-partition-on-linux/">How To Encrypt Partition on Linux</A></LI>
</UL> </UL>
<P> <P>
I bought a <A HREF="https://www.amazon.com/gp/product/B09B1JFY24/">SAMSUNG EVO Select 128GB New Generation</A> card (apologies for the Amazon link, it isn't an associate link though), wiped it, and put one partition on it that spanned the whole drive. I bought a <A HREF="https://www.amazon.com/gp/product/B09B1JFY24/">SAMSUNG EVO Select 128GB New Generation</A> card (apologies for the Amazon link, it isn't an associate link though), wiped it, and put one partition on it that spanned the whole drive.
See <A HREF="/knowledge/cryptography#luks_partitioning">cryptography#LUKS partitioning</A> for how to make a LUKS partition.
</P> </P>
<P> <P>
To format a partition for LUKS, use <CODE>lsblk</CODE> to determine the block device location for that partition and run <CODE>cryptsetup luksFormat [<I>partition</I>]</CODE>. To have the SD card auto-mount at boot, add an <CODE>fstab(5)</CODE> line for the decrypted block device.
The passphrase used can be changed or removed after creation. The <CODE>localmount</CODE> OpenRC service will also have to be enabled for the system to read <CODE>fstab(5)</CODE> - <CODE>rc-update add localmount</CODE>.
</P>
<P>
To open a LUKS partition, use <CODE>cryptsetup luksOpen [<I>partition</I>] [<I>name</I>]</CODE>.
This <I>name</I> is the name the decrypted block device location will take in <CODE>/dev/mapper/</CODE>.
Before the decrypted block device has a filesystem it'll just be cleared space.
Use <CODE>mkfs.ext4 /dev/mapper/[<I>name</I>]</CODE> to create an ext4 filesystem on the decrypted volume.
</P>
<P>
To mount an opened LUKS partition, use <CODE>mount(8)</CODE> as normal, just with the block device location <CODE>/dev/mapper/[<I>name</I>]</CODE>.
</P>
<P>
To close an open LUKS partition, <CODE>umount(8)</CODE> it if it's open and <CODE>cryptsetup luksClose [<I>name</I>]</CODE>.
</P>
<P>
To make the LUKS partition openable via keyfile, first make a keyfile (<CODE>dd if=/dev/urandom of=/root/keyfile bs=1024 count=4</CODE> seems to work), and optionally make it readable by root only (<CODE>chmod 0400 [<I>keyfile</I>]</CODE>).
Then add the keyfile to the partition's LUKS header with <CODE>cryptsetup luksAddKey [<I>physical partition block device</I>] [<I>keyfile</I>]</CODE>.
<I>Physical partition block device</I> refers to the same <I>partition</I> openable with <CODE>cryptsetup luksOpen</CODE>, but is called such here to disambiguate from the <I>decrypted</I> block device (at <CODE>/dev/mapper/</CODE>).
</P>
<P>
To have the SD card auto-mount at boot, add an <CODE>fstab(5)</CODE> line for the <I>decrypted</I> block device.
In <CODE>blkid(8)</CODE>'s output, this will be the line that starts with <CODE>/dev/mapper/[<I>name</I>]</CODE>.
Then, <CODE>rc-update add dmcrypt boot</CODE> and add an entry in <CODE>/etc/conf.d/dmcrypt</CODE> to automatically luksOpen the volume. Then, <CODE>rc-update add dmcrypt boot</CODE> and add an entry in <CODE>/etc/conf.d/dmcrypt</CODE> to automatically luksOpen the volume.
<CODE>dm-crypt</CODE> will need the UUID of the <I>physical</I> block device; in <CODE>blkid(8)</CODE> this will be the line that starts with <CODE>/dev/mmcblk</CODE> or <CODE>/dev/sd[<I>X</I>]</CODE>. <CODE>dm-crypt</CODE> will need the UUID of the <I>physical</I> block device; in <CODE>blkid(8)</CODE> this will be the line that starts with <CODE>/dev/mmcblk</CODE> or <CODE>/dev/sd[<I>X</I>]</CODE>.
</P> </P>
<P>
The <CODE>localmount</CODE> OpenRC service will also have to be enabled for the system to read <CODE>fstab(5)</CODE>.
</P>
<H2>Random MAC address generation on Wifi</H2> <H2>Random MAC address generation on Wifi</H2>
<P> <P>