Full disk encryption with Arch Linux footnotes

Pavel Kogan has an excellent guide to install Arch Linux with full disk encryption. I’ve taken the liberty of copying the instructions, adding a couple tweaks:

  1. Boot the Arch Linux installation medium.
  2. Run these commands (You may want to use different sizes for swap and root volumes):
    parted -s /dev/sda mklabel msdos
    parted -s /dev/sda mkpart primary 2048s 100%
    parted -s /dev/sda set 1 boot on
    cryptsetup luksFormat /dev/sda1
    cryptsetup luksOpen /dev/sda1 lvm
    pvcreate /dev/mapper/lvm
    vgcreate vg /dev/mapper/lvm
    lvcreate -L 4G vg -n swap
    lvcreate -L 15G vg -n root
    lvcreate -l +100%FREE vg -n home
    mkswap -L swap /dev/mapper/vg-swap
    mkfs.ext4 /dev/mapper/vg-root
    mkfs.ext4 /dev/mapper/vg-home
    mount /dev/mapper/vg-root /mnt
    mkdir /mnt/home
    mount /dev/mapper/vg-home /mnt/home
  3. Go through the software installation steps of the installation guide, skipping the Initramfs and Boot loader steps.
  4. Install GRUB: pacman --sync --noconfirm grub
  5. In /etc/mkinitcpio.conf:
    • Change the line starting with FILES= to FILES="/crypto_keyfile.bin"
    • On the line starting with HOOKS= add lvm2 encrypt just before filesystems.
  6. Find the UUID of /dev/sda1 by running basename "$(find -L /dev/disk/by-uuid -samefile /dev/sda1)"
  7. In /etc/default/grub:
    • Change the line starting with GRUB_CMDLINE_LINUX= to GRUB_CMDLINE_LINUX="cryptdevice=UUID=[UUID]:lvm", replacing [UUID] with your own.
    • Add a line with GRUB_ENABLE_CRYPTODISK=y
  8. Run these commands:
    dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
    cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
    chmod 000 /crypto_keyfile.bin
    chmod -R 700 /boot
    mkinitcpio -p linux
    grub-mkconfig -o /boot/grub/grub.cfg
    grub-install --target=i386-pc /dev/sda
  9. If necessary, set up your BIOS to allow booting in CSM mode.

It also required me to enter the password using a QWERTY keymap. The instructions to add an alternative keymap to GRUB are rather involved, but I’ll try to write them up if I go through with it.

Awesomely slim Linux desktop setup

Welcome, weary traveler. I sense you have become frustrated with your distribution of choice, for incessantly reinventing the wheel, trying to adopt all the worst practices of Apple and Microsoft, providing poor documentation and/or really supporting only the most basic of setups. Fear not, for there are light-weigth, flexible, well-documented no-nonsense alternatives available.

A combination of Ubuntu nausea and a harddisk crash gave me the necessary kick in the ass to set up Arch Linux, SLiM and awesome yesterday. Rather than reiterate a bunch of commands and copy-pasteable configuration which would be obsolete in an Internet day, I’ll point you to the documentation and some resulting user configuration:

My current configuration:

Guest uploader setup script

Just slammed together a script to add users and give them access to the “upload” user directory.

Edit: Sorry for the updates, it turned out the first version was not optimal.

#!/bin/sh

# Usage: uploader [username ...]

error()
{
	test -t 1 && {
		tput setf 4
		echo "$1" >&2
		tput setf 7
	} || echo "$1" >&2
	exit 1
}

users="upload $*"

for user in $users
do
	# Create user if necessary
	id $user 1>/dev/null 2>&1
	if [ "$?" -ne "0" ]
	then
		useradd --groups upload --comment "Upload user" $user && \
		echo "Created upload user '${user}'." || \
		error "Could not create upload user '${user}'."
	fi
done

# Disable upload password
usermod --lock upload

# Files
chown -R upload:upload ~upload || \
error "Could not change owner of upload home dir"
chmod -R ug+rwX,o= ~upload || \
error "Could not change rights of upload home dir"

Subversion server using HTTPS on Ubuntu Hardy setup

Yay, it’s up and running! And here are the steps to do it, mostly copied directly from the shell as I ran them. In any case, it may or may not work for you, so make sure you check with the proper documentation if anything fails.

By the way: Back up old repositories if you have any!

  1. Install the software:
    sudo apt-get install apache2 libapache2-svn openssl ssl-cert subversion
    
  2. Create directory for server certificates:
    sudo mkdir /etc/apache2/certs
    
  3. Create password-free SSL certificate (remember what you put as “Host Name” for the next step):
    sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/certs/server.pem
    
  4. Add the Apache certificate settings to /etc/apache2/httpd.conf (use the “Host Name” value from the previous step instead of “example.org” to avoid a warning in /var/log/apache2/error.log):
    ServerName example.org
    SSLEngine on
    SSLCertificateFile /etc/apache2/certs/server.pem
  5. Enable Apache SSL module (necessary for HTTPS):
    sudo a2enmod ssl
    
  6. Create directory for Subversion repository files:
    sudo mkdir /var/lib/svn
    
  7. If you have any old repositories, copy them to /var/lib/svn/, and make sure the Apache user can read & write them:
    sudo chown -R www-data:www-data /var/lib/svn/
    
  8. Create Apache’s Subversion password file with one user (replace username with one of your choice):
    sudo htpasswd -c /etc/apache2/dav_svn.passwd username
    
  9. Uncomment the following lines in /etc/apache2/mods-available/dav_svn.conf to point Apache to your repositories:
    <Location /svn>
      DAV svn
      SVNParentPath /var/lib/svn
      AuthType Basic
      AuthName "Subversion Repository"
      AuthUserFile /etc/apache2/dav_svn.passwd
        Require valid-user
    </Location>
    
  10. Disable the default site (it clashes with the SSL settings somehow):
    sudo a2dissite default
    
  11. Restart Apache:
    sudo /etc/init.d/apache2 restart
    
  12. Test (replace repository_name with an existing repository name):
    svn co https://localhost/svn/repository_name
    

Sources: