Full disk encryption with Arch Linux footnotes

Pavel Kogan has an excellent guide to install Arch Linux with full disk encryption. I’ve taken the liberty of copying the instructions, adding a couple tweaks:

  1. Boot the Arch Linux installation medium.
  2. Run these commands (You may want to use different sizes for swap and root volumes):
    parted -s /dev/sda mklabel msdos
    parted -s /dev/sda mkpart primary 2048s 100%
    parted -s /dev/sda set 1 boot on
    cryptsetup luksFormat /dev/sda1
    cryptsetup luksOpen /dev/sda1 lvm
    pvcreate /dev/mapper/lvm
    vgcreate vg /dev/mapper/lvm
    lvcreate -L 4G vg -n swap
    lvcreate -L 15G vg -n root
    lvcreate -l +100%FREE vg -n home
    mkswap -L swap /dev/mapper/vg-swap
    mkfs.ext4 /dev/mapper/vg-root
    mkfs.ext4 /dev/mapper/vg-home
    mount /dev/mapper/vg-root /mnt
    mkdir /mnt/home
    mount /dev/mapper/vg-home /mnt/home
  3. Go through the software installation steps of the installation guide, skipping the Initramfs and Boot loader steps.
  4. Install GRUB: pacman --sync --noconfirm grub
  5. In /etc/mkinitcpio.conf:
    • Change the line starting with FILES= to FILES="/crypto_keyfile.bin"
    • On the line starting with HOOKS= add lvm2 encrypt just before filesystems.
  6. Find the UUID of /dev/sda1 by running basename "$(find -L /dev/disk/by-uuid -samefile /dev/sda1)"
  7. In /etc/default/grub:
    • Change the line starting with GRUB_CMDLINE_LINUX= to GRUB_CMDLINE_LINUX="cryptdevice=UUID=[UUID]:lvm", replacing [UUID] with your own.
    • Add a line with GRUB_ENABLE_CRYPTODISK=y
  8. Run these commands:
    dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
    cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
    chmod 000 /crypto_keyfile.bin
    chmod -R 700 /boot
    mkinitcpio -p linux
    grub-mkconfig -o /boot/grub/grub.cfg
    grub-install --target=i386-pc /dev/sda
  9. If necessary, set up your BIOS to allow booting in CSM mode.

It also required me to enter the password using a QWERTY keymap. The instructions to add an alternative keymap to GRUB are rather involved, but I’ll try to write them up if I go through with it.

Advertisements

Awesomely slim Linux desktop setup

Welcome, weary traveler. I sense you have become frustrated with your distribution of choice, for incessantly reinventing the wheel, trying to adopt all the worst practices of Apple and Microsoft, providing poor documentation and/or really supporting only the most basic of setups. Fear not, for there are light-weigth, flexible, well-documented no-nonsense alternatives available.

A combination of Ubuntu nausea and a harddisk crash gave me the necessary kick in the ass to set up Arch Linux, SLiM and awesome yesterday. Rather than reiterate a bunch of commands and copy-pasteable configuration which would be obsolete in an Internet day, I’ll point you to the documentation and some resulting user configuration:

My current configuration:

A superior Linux experience with Awesome

Awesome actually lives up to its name. Short and sweet, here’s why you should try it:

  • It’s instantaneous. Always.
  • Exactly one word which is confusing to newbies: “Tags”, collections of windows, marked on top of the screen with numbers 1 through 9. Think of them as Delicious/Flickr/Twitter tags for your windows, because that’s exactly what they are. These are central to the genius of Awesome.
  • Automatically resizes windows to fit the screen without overlap. This is a truly powerful little time saver.
  • Intuitive keyboard shortcuts:
    • Windows + f to toggle fullscreen.
    • Windows + m to toggle maximize.
    • Windows + number to show only that tag number.
    • Windows + Left and Windows + Right to switch tags. And yes, it rolls around.
    • Windows + Enter to run a command.
    • Many more for those who want to use the keyboard.
  • Intuitive mouse controls:
    • Left click a tag to show the windows with that tag.
    • Right click a tag to toggle a tag. This means that in a single click you can show or hide the browser window when working with your editor.
    • Windows + left click on a tag to move the current window there.
    • Windows + right click on a tag to add/remove the current window there.
    • Windows + left click and drag to move windows.
    • Windows + right click and drag to resize windows. This is extra cool with many windows, since they all resize at the same time.
  • One set of tags per monitor. Of course you can drag windows between them.

Even so, as a beginner a few tricks are worth keeping in mind:

  • Configuration:
    • Lua code means enormous flexibility, but can be daunting if you’re not a programmer. However, Lua is relatively easy to learn.
    • Verify your changes work by running awesome --check before restarting Awesome. Don’t worry, if it doesn’t work you’ll just get the default configuration (unless you created an infinite loop :).
    • You don’t have to log out to try a new configuration; simply press Windows + Ctrl + r.
    • The wiki has lots of tips and tricks.
    • The evolution of a working configuration can be instructive (even if it’s from a newbie).
  • The keyboard and mouse buttons have unfamiliar names in the documentation, for historical and technical reasons. A glossary:
    • Button1 = Left mouse
    • Button2 = Right mouse
    • Button3 = Middle mouse
    • Mod4 = Windows

Guest uploader setup script

Just slammed together a script to add users and give them access to the “upload” user directory.

Edit: Sorry for the updates, it turned out the first version was not optimal.

#!/bin/sh

# Usage: uploader [username ...]

error()
{
	test -t 1 && {
		tput setf 4
		echo "$1" >&2
		tput setf 7
	} || echo "$1" >&2
	exit 1
}

users="upload $*"

for user in $users
do
	# Create user if necessary
	id $user 1>/dev/null 2>&1
	if [ "$?" -ne "0" ]
	then
		useradd --groups upload --comment "Upload user" $user && \
		echo "Created upload user '${user}'." || \
		error "Could not create upload user '${user}'."
	fi
done

# Disable upload password
usermod --lock upload

# Files
chown -R upload:upload ~upload || \
error "Could not change owner of upload home dir"
chmod -R ug+rwX,o= ~upload || \
error "Could not change rights of upload home dir"

Howto: Timelapse video from photos

It’s amazing what shell tools can do: Flickr accepts HD video (720p, or max 1280×720) up to 30 FPS, so I tried to create one within those limits from the high resolution photos from today’s sunrise. Turns out to be incredibly easy with free tools on Linux:

  1. Resize to 720 pixels height (if your images are still wider than 1280 you’ll have to replace x720 with 1280 (without the “x“): mogrify -resize x720 *
  2. Find the width of the images, and plug that into the following command instead of 1080.
  3. Create the video: mencoder mf://* -mf w=1080:h=720:fps=30:type=jpg -ovc copy -oac copy -o output.avi

The result

Automatic backups to remote machine

Update: SSH public key authentication isn’t supported on the system I want to backup to, so I’ve changed the procedure to create a cron job on the server instead of the client.

Backups are nice, but they can be a royal pain to set up and verify, and there’s a lot of tools available. Here’s the simplest recipe I could make using standard GNU/Linux tools. I’m no security or Linux expert, so don’t expect any guarantees, and verify anything you’re not sure about.

Text like this should be replaced by values relevant for your situation.

Login to the server:
ssh backup_server

Create SSH keys without password:
ssh-keygen -P "" -f ${HOME}/.ssh/backup_id

Verify that the file was created:
ls ${HOME}/.ssh/backup_id

Copy the public key to the client machine:
ssh-copy-id -i ${HOME}/.ssh/backup_id user@client

Verify that you can login without providing a password:
ssh -i ${HOME}/.ssh/backup_id user@client

Open crontab (CERN users, please see below):
crontab -e

Add the following to the file, save and exit:
@midnight ssh -i ${HOME}/.ssh/backup_id user@client "tar zcf - backup_directory" > ${HOME}/backup/$(date --iso-8601).tar.gz

CERN specific crontab setup on LXPlus:
acrontab -e
0 0 * * * lxplus ssh -i ${HOME}/.ssh/backup_id user@client "tar zcf - backup_directory" > ${HOME}/backup/$(date --iso-8601).tar.gz

Verify that backups are created:
ls -la ${HOME}/backup/

Please comment if you have any suggestions to improve the procedure, preferably with code or shell output.

Sources:

  • Passwordless logins: 1, 2, 3
  • RSA vs DSA: 1, 2
  • man pages