Skip to main content
Topic: Artix Open-RC Encrypted Drives With XFCE and hardened-kernel UEFI Installation (Read 8363 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Artix Open-RC Encrypted Drives With XFCE and hardened-kernel UEFI Installation

Quote
Artix Open-RC Encrypted Drives With XFCE and hardened-kernel UEFI Installation Instructions
General Notes
I know there is a 'better way' to encrypt swap partition. I've found it to be unreliable, this method is stable.
I know that GRUB 'supports' booting from encrypted boot. I've also found this to be unreliable.
If someone is aware of a way to encrypt the boot partition, and have it actually work, I'd appreciate your feedback. This is a fairly large hole.
This guide is not and end all be all to security. However, we are one step ahead by not using SystemD (which is probably why you're here)
We further are protected if you follow this guide as we remove sudo, as well as running XFCE rootless in a very easy way.
If your passwords are weak, then so is your system security.
This guide simply prepares you for making a secure system, it is not an end-all-be-all solution, and writing more security features after post-install is redundant due to availability of other guides/wikis.

*Read through this and make sure you understand it before following it*
***You will lose ALL data on partitions you work with, a backup of important data is recommended***


Lastly, I recommend doing this procedure from Artix Desktop Environment image, this will make copying and pasting UUID's much less burdensome. I've also assumed you've verified the image file after download, and have already partitioned your drives in the way you want them using gparted or cfdisk or fdisk or... you get the idea.

Let's Begin:

-- Wipe Drives
(not /boot *this is required if the drive started empty or not*)
1. Create temp container

Use lsblk to see your devices and their UUIDs, you will probably need this command a few times.
Code: [Select]
lsblk -o +UUID

Code: [Select]
cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped
(root, home, swap, other partitions not boot)

2. Wipe Containers
Code: [Select]
dd bs=1M if=/dev/zero of=/dev/mapper/to_be_wiped status=progress
(this command can take A LONG TIME, be patient)

3. Close Containers
Code: [Select]
cryptsetup close /dev/mapper/to_be_wiped
(all containers you wiped)

-- Encrypt excryptable partitions
(*not /boot, but can work for swap, infact I recommend it on swap*)
4. Encrypt

Code: [Select]
cryptsetup -v --type luks2 -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random -y luksFormat /dev/<block-device>

5. Open containers
Code: [Select]
cryptsetup open /dev/<block-device> <target>
(all containers, except, you guessed it boot)

Quote
***example***
cryptsetup open /dev/sdXy cryptRoot
cryptsetup open /dev/sdXy cryptHome
cryptsetup open /dev/sdXy cryptSwap

-- Get ready to install
6. Format Filesystems
Code: [Select]
mkfs.(filesystem) /dev/mapper/<target>
OR
Code: [Select]
mkswap /dev/mapper/<target-swap>

Quote
***example***
mkfs.ext4 /dev/mapper/cryptRoot
mkfs.ext4 /dev/mapper/cryptHome
mkswap /dev/mapper/cryptSwap
(only perform below on totally fresh install, do not format boot if you are dual booting)
mkfs.fat -F 32 /dev/sdXy

7. Mount Filesystems (example for UEFI)
Code: [Select]
swapon /dev/mapper/<target-swap>
AND
Code: [Select]
mount /dev/mapper/<target> /mnt/
--- OR ---
Code: [Select]
mount /dev/mapper/<target> /mnt/<target>

Quote
:::example:::
swapon /dev/mapper/cryptSwap
mount /dev/mapper/cryptRoot /mnt
mkdir /mnt/home; mkdir /mnt/boot
mount /dev/mapper/cryptHome /mnt/home
mount /dev/sdXy /mnt/boot

-- Install System
8. Use basestrap to install a minimal system
Code: [Select]
basestrap /mnt base base-devel openrc linux-hardened linux-firmware elogind-openrc networkmanager-openrc cryptsetup-openrc grub os-prober efibootmgr vim nano

9. Generate fstab
Code: [Select]
fstabgen -U /mnt >> /mnt/etc/fstab

#(cat /mnt/etc/fstab) check /fstab for errors, rare, but occassional errors occur, I find using UUID's a little irrelevent as they will be ID'd by UUID by dmcrypt.conf, however for /boot by UUID is excellent)

-- Configure System To Boot
10. chroot into new system
Code: [Select]
artools-chroot /mnt

11. set your time/zone
Code: [Select]
ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
Code: [Select]
hwclock --systohc

12. Generate locale
Edit locale.gen and uncomment your locale
Code: [Select]
nano /etc/locale.gen

Then run locale-gen
Code: [Select]
locale-gen
Edit locale.conf and add the two lines below (change for your region)
Code: [Select]
nano /etc/locale.conf

Quote
export LANG="en_US.UTF-8"
export LC_COLLATE="C"


13. Network Config
Edit hostname and add your hostname.
Code: [Select]
nano /etc/hostname

Quote
hostname
Edit hosts to read like below
Code: [Select]
nano /etc/hosts
Quote
127.0.0.1 localhost
::1 localhost
127.0.1.1 hostname.localdomain hostname

14. Initcpio Config
Code: [Select]
nano /etc/mkinitcpio.conf
Add "encrypt" to hooks after udev
Then regenerate initcpio
Code: [Select]
mkinitcpio -p linux-hardened

15. Grub Config
Add "cryptdevice=device:dmname" to GRUB_CMDLINE_LINUX_DEFAULT
Code: [Select]
nano /etc/default/grub
Quote
***example***
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=/dev/disk/by-uuid/<root container UUID>:cryptRoot

16. Install Grub
Code: [Select]
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
Code: [Select]
grub-mkconfig -o /boot/grub/grub.cfg

17. Generate Keys For Other partitions
#store keys on root partition only.
Code: [Select]
dd bs=512 count=4 if=/dev/random of=/path/to/key iflag=fullblock
chmod 600 /path/to/key

Quote
***example***
dd bs=512 count=4 if=/dev/random of=/etc/keyFile iflag=fullblock
chmod 600 /etc/keyFile

18. Configure non-root partitions to use keyfile
Code: [Select]
cryptsetup luksAddKey /dev/<block-device> /path/to/key
***do not do this to ROOT (most probably just do it on swap and home)***

Quote
***example***
cryptsetup luksAddKey /dev/sdX3 /etc/keyFile
cryptsetup luksAddKey /dev/sdXy /etc/keyFile

19. Configure dmcrypt
Code: [Select]
nano /etc/conf.d/dmcrypt

Use encrypted container /dev/<device-block> UUID, NOT the /dev/mapper/<target> UUID

Quote
***example***
## Definition for /dev/mapper/cryptSwap
target=cryptSwap
source=UUID="abcde123-1234-wxyz-5678-fghijk567890"
key=/etc/keyFile

## Definition for /dev/mapper/cryptHome
target=cryptHome
source=UUID="<UUID>"
key=/etc/keyFile

## Mind the empty line rule and make sure the last line is empty


20. Configure fstab
If you overrode fstab or it had errors and set up fstab with /dev/mapper/<target>, instead of UUID, ensure /dev/mapper/<target> is the same as what you set above. Else just confirm that the UUID listed does indeed match like it should to /dev/mapper/<target>

21. Set rc-update services to run
Code: [Select]
rc-update add dmcrypt sysinit
rc-update add NetworkManager default

22. Remove sudo, add opendoas
# I suspect many fueds over the validity of this, so consider this, and following configuration of opendoas as optional. Many aurhelpers are built with sudo dependency. I don't care as I do not use the AUR often enough to require a helper. #
Code: [Select]
pacman -R sudo
pacman -S opendoas
You will use doas instead of sudo

23. Configure opendoas
Code: [Select]
nano /etc/doas.conf 
Quote
permit persist :wheel

24. Set root password and make admin/doas user
Replace NEWSUPERUSERNAME with your desired username.
Code: [Select]
passwd
useradd -m -G wheel NEWSUPERUSERNAME
passwd NEWSUPERUSERNAME

25. Reboot
Code: [Select]
exit
poweroff now
*Remove Boot Media*
*Turn on Computer*

-- First Boot

26. Everything Should Be Working Just Great.
Double check all drives are mounted, and swap is being used.
IF, AND ONLY IF IT ISN'T here is how you can troubleshoot it
Start by checking "ls /dev/mapper" and making sure the names correspond to /etc/fstab
If devices are NOT in /dev/mapper, then you need to edit /etc/conf.d/dmcrypt

27. Install a display environment.
I like xfce4, so that is what this guide will use.
I prefer to use a display manager.
All greeters launch X as root except GDM.
I could use Plasma or Gnome under wayland....
But, alas I dislike Gnome and Plasma is spyware, so...
Code: [Select]
doas pacman -Syu displaymanager-openrc elogind-openrc xfce4 gdm
doas rc-update add xdm default
doas nano /etc/conf.d/xdm
Edit xdm to gdm
Code: [Select]
doas shutdown -r now

-- Second Boot
When PC reboots you should be welcomed by GDM, make sure to select your desktop environment before logging in or you will be booted into Gnome.

28. Verify xorg is running as user
Code: [Select]
ps -o user $(pgrep Xorg)
If it says root, you lose. If it says user, you've followed my haphazard instructions well!

29. Now run through step by step the Arch Security Wiki, hardening your system
--Personal Notables
-CPU microcode & other CPU vulns
-Login lockout and timers
-Disable root login universally
-Mandatory access control such as SELinux
-Sandboxing (bubblewrap)
-Set up firewalls / possibru VPN/tor
-Default file permissions
-Make sure uefi has password
-Password protect grub entries
-Protect from usb
-Autologout
-DNS Security

30. Configure and use your system elsewhere as desired
--Personal Notables
-Bash Tab Completion
-Display driver
-Browser (firefox conigured properly or just Pale Moon)
-Fonts and Media Codecs
-vim plugins
-Theme xfce

99. Enjoy Your System


 

Re: Artix Open-RC Encrypted Drives With XFCE and hardened-kernel UEFI Installation

Reply #1
thanks, this is going to come in handy