Difference between revisions of "FAQ/Howto"

From GalliumOS Wiki
< FAQ
Jump to: navigation, search
(Move your /home to a flash drive)
(Create udev rules)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Some frequently useful configuration options:
 
Some frequently useful configuration options:
  
== Move your /home to a flash drive ==
+
== Expand your Home to a flash drive ==
  
It is not recommended to mount your /home to an external USB Flash Drive or a SD Card because if you loose it you gonna be in trouble. However you can move your /home folders to a external place and free some storage.
+
It is not recommended to mount your /home to an external USB Flash Drive because if you loose it you gonna be in trouble. However you can move your /home folders to an external place and free some storage.
 +
 
 +
With the solution below, when you connect the flashdrive it gonna unlock and automount it to /mnt/HomeGaOS; Also, if you boot with the flashdrive pluged in it gonna be ready and available before you login in, so you can access it remotely, at least its the expected behavior.
  
 
==== Encrypt your flash drive ====
 
==== Encrypt your flash drive ====
Line 9: Line 11:
 
Flash drives are easy to loose. If you don't want anyone looking around your data, you should encrypt your flash drive. I will not detail this part, as data encryption are complex and you have better and complete information at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
 
Flash drives are easy to loose. If you don't want anyone looking around your data, you should encrypt your flash drive. I will not detail this part, as data encryption are complex and you have better and complete information at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
  
To encrypt the entire flash drive, do this:
+
'''Step 1: Encrypt the entire flash drive:'''
 +
 
 +
    $ sudo cryptsetup -v -c aes-xts-plain64 -s 512 -h sha512 --use-random luksFormat /dev/sdX
 +
 
 +
You should change /dev/sdX for your flashdrive/sdcard. Be carefully, this may lead to data damage.
 +
 
 +
'''Step 2: Open the encrypted content:'''
 +
 
 +
    $ sudo cryptsetup luksOpen /dev/sdX HomeGaOS
 +
 
 +
This you map your unlock device to /dev/mapper/HomeGaOS
 +
 
 +
'''Step 3: Create the file system:'''
  
     $ sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat /dev/sda
+
     $ sudo mkfs.ext4 /dev/mapper/HomeGaOS
  
You should change /dev/sda for your device location. Be carefully, this may lead to data damage.
+
Source: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode
  
===== Generate an encryption key =====
+
===== Add an encryption key to the flashdrive =====
 +
 
 +
To automatically mount the flash drive without having to type the password we gonna create an encryption key and add it to the flash drive
 +
 
 +
'''Step 1: Generate the key'''
 +
 
 +
    $ sudo dd if=/dev/urandom of=/etc/keys/GaOS-Home.key bs=1024 count=4
 +
 
 +
I'm assuming the keyfile gonna be stored at /etc/keys folder. This will create a file with random content with the size of 4096 bits. You can use any file to act as keyfile. A 4kb file with random content is good enough.
 +
 
 +
'''Step 2: Make the keyfile read-only to root:'''
 +
 
 +
    $ sudo chmod 0400 /etc/keys/GaOS-Home.key
 +
 
 +
Alternatively you can chown your keyfile to root:root and move it into the /root folder or other place.
 +
 
 +
'''Step 3: Add the keyfile to LUKS'''
 +
 
 +
    $ sudo cryptsetup luksAddKey /dev/sdX /etc/keys/GaOS-Home.key
 +
 
 +
Source: https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile
  
 
==== Create udev rules ====
 
==== Create udev rules ====
  
(WIP: pasting content from https://paste.ubuntu.com/24558174/, please improve!)
+
<pre>
 +
## /etc/udev/rules.d/10-usbdrive.rules
 +
KERNEL=="sd*", ATTRS{serial}=="4C530001300414107405", ATTRS{idVendor}=="0781", ATTRS{idProduct}=="5590", SYMLINK+="usb/sandisk", ENV{SYSTEMD_WANTS}="auto-mount-flash-drive.service"
 +
</pre>
 +
 
 +
You can get the values for serial, idVendor, and idProduct with dmesg output; type before inserting USB drive:
  
    ## /etc/udev/rules.d/10-usbdrive.rules
+
$ dmesg -w
    KERNEL=="sd*", ATTRS{serial}=="0340918060002807", ATTRS{idVendor}=="090c", ATTRS{idProduct}=="1000" SYMLINK+="usb/samsung%n"
+
 
   
+
Sources: (a) https://paste.ubuntu.com/24558174/ (b) http://jasonwryan.com/blog/2014/01/20/udev/
    ## /etc/fstab
 
    /dev/usb/samsung1 /media/usb1 ext4 defaults,discard,relatime,nofail 0 2
 
   
 
    ## values for serial, idVendor, and idProduct are visible in dmesg output:
 
    ## run "dmesg -w" while inserting USB drive
 
  
 
==== Create systemd service ====
 
==== Create systemd service ====
  
==== Move the /home folders to the flashdrive ====
+
<pre>
 +
#/etc/systemd/system/auto-mount-flash-drive.service
 +
[Unit]
 +
Description=Auto mount encryted flash drive
 +
 
 +
[Service]
 +
ExecStart=/usr/local/bin/auto-mount/auto-mount.sh
 +
</pre>
 +
 
 +
==== Create the script to mount the drive ====
 +
 
 +
<pre>
 +
#/usr/local/bin/auto-mount/auto-mount.sh
 +
#!/bin/bash
 +
 
 +
cryptsetup luksOpen --key-file /etc/keys/GaOS-Home.key /dev/usb/sandisk HomeGaOS
 +
 
 +
if [[ ! -e /mnt/HomeGaOS ]]; then
 +
  mkdir /mnt/HomeGaOS
 +
fi
 +
 
 +
if [[ -e /dev/mapper/HomeGaOS ]]; then
 +
  mount /dev/mapper/HomeGaOS /mnt/HomeGaOS
 +
else
 +
  echo "not ready"
 +
fi
 +
</pre>
 +
 
 +
==== Move the /home folders to the flashdrive and create symlinks ====
 +
 
 +
Now you can move your folders from /home/user to /mnt/HomeGaOS and create a symlink to it. For example:
 +
 
 +
    $ mv /home/user/Downloads /mnt/HomeGaOS
 +
    $ ln -s /mnt/HomeGaOS/Downloads /home/user/Downloads
 +
 
 +
If you login without the flashdrive the symlinks gonna be broken but whenever you connect the flashdrive they become available.
 +
 
 +
Please, help to improve this.
  
==== Create symlinks ====
+
Problems: still need to think a solution for unmount. If you need to fast suspend and remove the flashdrive, when you back from suspend maybe you need to umount, lock luks manually, before insert the flashdrive again. I don't know the risks for data loose on this.

Latest revision as of 00:23, 21 June 2017

Some frequently useful configuration options:

Expand your Home to a flash drive

It is not recommended to mount your /home to an external USB Flash Drive because if you loose it you gonna be in trouble. However you can move your /home folders to an external place and free some storage.

With the solution below, when you connect the flashdrive it gonna unlock and automount it to /mnt/HomeGaOS; Also, if you boot with the flashdrive pluged in it gonna be ready and available before you login in, so you can access it remotely, at least its the expected behavior.

Encrypt your flash drive

Flash drives are easy to loose. If you don't want anyone looking around your data, you should encrypt your flash drive. I will not detail this part, as data encryption are complex and you have better and complete information at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

Step 1: Encrypt the entire flash drive:

   $ sudo cryptsetup -v -c aes-xts-plain64 -s 512 -h sha512 --use-random luksFormat /dev/sdX

You should change /dev/sdX for your flashdrive/sdcard. Be carefully, this may lead to data damage.

Step 2: Open the encrypted content:

   $ sudo cryptsetup luksOpen /dev/sdX HomeGaOS

This you map your unlock device to /dev/mapper/HomeGaOS

Step 3: Create the file system:

   $ sudo mkfs.ext4 /dev/mapper/HomeGaOS

Source: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode

Add an encryption key to the flashdrive

To automatically mount the flash drive without having to type the password we gonna create an encryption key and add it to the flash drive

Step 1: Generate the key

   $ sudo dd if=/dev/urandom of=/etc/keys/GaOS-Home.key bs=1024 count=4 

I'm assuming the keyfile gonna be stored at /etc/keys folder. This will create a file with random content with the size of 4096 bits. You can use any file to act as keyfile. A 4kb file with random content is good enough.

Step 2: Make the keyfile read-only to root:

   $ sudo chmod 0400 /etc/keys/GaOS-Home.key

Alternatively you can chown your keyfile to root:root and move it into the /root folder or other place.

Step 3: Add the keyfile to LUKS

   $ sudo cryptsetup luksAddKey /dev/sdX /etc/keys/GaOS-Home.key

Source: https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile

Create udev rules

## /etc/udev/rules.d/10-usbdrive.rules
KERNEL=="sd*", ATTRS{serial}=="4C530001300414107405", ATTRS{idVendor}=="0781", ATTRS{idProduct}=="5590", SYMLINK+="usb/sandisk", ENV{SYSTEMD_WANTS}="auto-mount-flash-drive.service"

You can get the values for serial, idVendor, and idProduct with dmesg output; type before inserting USB drive:

$ dmesg -w
  

Sources: (a) https://paste.ubuntu.com/24558174/ (b) http://jasonwryan.com/blog/2014/01/20/udev/

Create systemd service

#/etc/systemd/system/auto-mount-flash-drive.service
[Unit]
Description=Auto mount encryted flash drive

[Service]
ExecStart=/usr/local/bin/auto-mount/auto-mount.sh

Create the script to mount the drive

#/usr/local/bin/auto-mount/auto-mount.sh
#!/bin/bash

cryptsetup luksOpen --key-file /etc/keys/GaOS-Home.key /dev/usb/sandisk HomeGaOS

if [[ ! -e /mnt/HomeGaOS ]]; then
  mkdir /mnt/HomeGaOS
fi

if [[ -e /dev/mapper/HomeGaOS ]]; then
  mount /dev/mapper/HomeGaOS /mnt/HomeGaOS
else
  echo "not ready"
fi

Move the /home folders to the flashdrive and create symlinks

Now you can move your folders from /home/user to /mnt/HomeGaOS and create a symlink to it. For example:

   $ mv /home/user/Downloads /mnt/HomeGaOS
   $ ln -s /mnt/HomeGaOS/Downloads /home/user/Downloads

If you login without the flashdrive the symlinks gonna be broken but whenever you connect the flashdrive they become available.

Please, help to improve this.

Problems: still need to think a solution for unmount. If you need to fast suspend and remove the flashdrive, when you back from suspend maybe you need to umount, lock luks manually, before insert the flashdrive again. I don't know the risks for data loose on this.