Difference between revisions of "FAQ/Howto"
(→Generate an encryption key) |
(→Move your /home to a flash drive) |
||
| Line 3: | Line 3: | ||
== Move your /home to a flash drive == | == Move your /home to a flash drive == | ||
| − | It is not recommended to mount your /home to an external USB Flash Drive | + | It is not recommended to mount your /home to an external USB Flash Drive because if you loose it you gonna be in trouble. However you can move your /home folders to an external place and free some storage. |
==== Encrypt your flash drive ==== | ==== Encrypt your flash drive ==== | ||
| Line 9: | Line 9: | ||
Flash drives are easy to loose. If you don't want anyone looking around your data, you should encrypt your flash drive. I will not detail this part, as data encryption are complex and you have better and complete information at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system | Flash drives are easy to loose. If you don't want anyone looking around your data, you should encrypt your flash drive. I will not detail this part, as data encryption are complex and you have better and complete information at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system | ||
| − | + | '''Step 1: Encrypt the entire flash drive:''' | |
| − | $ sudo cryptsetup -v - | + | $ sudo cryptsetup -v -c aes-xts-plain64 -s 512 -h sha512 --use-random luksFormat /dev/sdX |
| − | You should change /dev/ | + | You should change /dev/sdX for your flashdrive/sdcard. Be carefully, this may lead to data damage. |
| + | |||
| + | '''Step 2: Open the encrypted content:''' | ||
| + | |||
| + | $ sudo cryptsetup luksOpen /dev/sdX HomeGaOS | ||
| + | |||
| + | This you map your unlock device to /dev/mapper/HomeGaOS | ||
| + | |||
| + | '''Step 3: Create the file system:''' | ||
| + | |||
| + | $ sudo mkfs.ext4 /dev/mapper/HomeGaOS | ||
===== Add an encryption key to the flashdrive ===== | ===== Add an encryption key to the flashdrive ===== | ||
| Line 23: | Line 33: | ||
$ sudo dd if=/dev/urandom of=/etc/keys/GaOS-Home.key bs=1024 count=4 | $ sudo dd if=/dev/urandom of=/etc/keys/GaOS-Home.key bs=1024 count=4 | ||
| − | This will create a file with random content with the size of 4096 bits. You can use any file to act as keyfile. A 4kb file with random content is good enough. | + | I'm assuming the keyfile gonna be stored at /etc/keys folder. This will create a file with random content with the size of 4096 bits. You can use any file to act as keyfile. A 4kb file with random content is good enough. |
'''Step 2: Make the keyfile read-only to root:''' | '''Step 2: Make the keyfile read-only to root:''' | ||
| Line 29: | Line 39: | ||
$ sudo chmod 0400 /root/keyfile | $ sudo chmod 0400 /root/keyfile | ||
| − | + | Alternatively you can chown your keyfile to root:root and move it into the /root folder or other place. | |
'''Step 3: Add the keyfile to LUKS''' | '''Step 3: Add the keyfile to LUKS''' | ||
Revision as of 20:25, 20 June 2017
Some frequently useful configuration options:
Contents
Move your /home to a flash drive
It is not recommended to mount your /home to an external USB Flash Drive because if you loose it you gonna be in trouble. However you can move your /home folders to an external place and free some storage.
Encrypt your flash drive
Flash drives are easy to loose. If you don't want anyone looking around your data, you should encrypt your flash drive. I will not detail this part, as data encryption are complex and you have better and complete information at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
Step 1: Encrypt the entire flash drive:
$ sudo cryptsetup -v -c aes-xts-plain64 -s 512 -h sha512 --use-random luksFormat /dev/sdX
You should change /dev/sdX for your flashdrive/sdcard. Be carefully, this may lead to data damage.
Step 2: Open the encrypted content:
$ sudo cryptsetup luksOpen /dev/sdX HomeGaOS
This you map your unlock device to /dev/mapper/HomeGaOS
Step 3: Create the file system:
$ sudo mkfs.ext4 /dev/mapper/HomeGaOS
Add an encryption key to the flashdrive
To automatically mount the flash drive without having to type the password we gonna create an encryption key and add it to the flash drive
Step 1: Generate the key
$ sudo dd if=/dev/urandom of=/etc/keys/GaOS-Home.key bs=1024 count=4
I'm assuming the keyfile gonna be stored at /etc/keys folder. This will create a file with random content with the size of 4096 bits. You can use any file to act as keyfile. A 4kb file with random content is good enough.
Step 2: Make the keyfile read-only to root:
$ sudo chmod 0400 /root/keyfile
Alternatively you can chown your keyfile to root:root and move it into the /root folder or other place.
Step 3: Add the keyfile to LUKS
$ sudo cryptsetup luksAddKey /dev/sdX /etc/keys/keyfile
Source: https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile
Create udev rules
(WIP: pasting content from https://paste.ubuntu.com/24558174/, please improve!)
## /etc/udev/rules.d/10-usbdrive.rules
KERNEL=="sd*", ATTRS{serial}=="0340918060002807", ATTRS{idVendor}=="090c", ATTRS{idProduct}=="1000" SYMLINK+="usb/samsung%n"
## /etc/fstab
/dev/usb/samsung1 /media/usb1 ext4 defaults,discard,relatime,nofail 0 2
## values for serial, idVendor, and idProduct are visible in dmesg output:
## run "dmesg -w" while inserting USB drive
