the_simple_computer

This site is no longer being maintained so anything below could still be accurate, or very outdated.


Step 1 - Noise Fill

Choose OpenSSL or urandom.



openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy
	


sudo dd if=/dev/urandom of=/dev/sdxy bs=4096

Step 2 - Basic Partitioning

Open GParted from the menu or Dash and create your partitions. A legacy BIOS boot area of 300MB is sufficient to hold 3 kernels and 300MB is usually recommended for the EFI space.


Step 3 - Cryptsetup



cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy
	


cryptsetup luksOpen /dev/sda2 root

cryptsetup luksOpen /dev/sda3 swap

cryptsetup luksOpen /dev/sda4 home
	


mkfs.ext4 /dev/mapper/root

mkfs.ext4 /dev/mapper/home

mkswap /dev/mapper/swap

Step 4 - Installation

Begin installation. At the Installation Type menu, choose Something else, then Continue.

Assuming the boot or EFI partition is /dev/sda1, select it. Click Change, choose ext4 (or FAT32 for EFI), assign it the mount point of /boot, click OK. Don't format the partition.

Select /dev/mapper/root, click Change. Select ext4 and set mount point to /.

Do the same for /dev/mapper/home, mounting at /home, and selecting swap area for /dev/mapper/swap. Don't format any of these.

"Device for boot loader installation" should be /dev/sda.

When finished, choose Install Now. When warned about root not being marked for formatting, choose Continue.


Step 5 - Continue Live Session

When given the choice to reboot or continue testing, choose Continue Testing.


Step 6 - chroot



sudo -i

cd /mnt

mkdir root

mount /dev/mapper/root root

mount /dev/sda1 root/boot

chroot root

mount -t proc proc /proc

mount -t sysfs sys /sys

Step 7 - crypttab

Still in chroot.



nano /etc/crypttab

Open a second terminal and:



sudo blkid

Find the UUIDs for root, home and swap which say crypto_luks at the end. The one you want for swap will NOT be the one which just says swap. Paste the UUIDs into crypttab in the chrooted terminal.


Step 8 - Fix Hibernate

Still in chroot.



echo 'RESUME=/dev/mapper/swap' > /etc/initramfs-tools/conf.d/resume

Update initramfs and exit chroot.



update-initramfs -u

exit


Step 9 - LUKS Header Backup

Dump the header files to root's home folder. Then exit root terminal.



cryptsetup luksHeaderBackup /dev/sdxy --header-backup-file /root/partition_name.img

exit

Once booted, you can view the header with:



sudo cryptsetup luksDump /dev/sdxy