Sunday morning playing with my Raspberry Pi :)
This post describes the steps that I did to encrypt my
~ directory with
Log in as root, then perform the following commands:
# mv /home/squallltt /home/squallltt.old # mkdir -m 700 /home/squallltt # chown squallltt:users /home/squallltt # usermod -d /home/squallltt.old squallltt
# mkdir -p /home/.ecryptfs/squallltt/.Private # chmod 755 /home/.ecryptfs # chmod -R 700 /home/.ecryptfs/squallltt # chown -R squallltt:users /home/.ecryptfs/squallltt # ln -s /home/.ecryptfs/squallltt/.Private /home/squallltt/.Private # chmod 500 /home/squallltt
# pacman -S ecryptfs-utils
# mount -t ecryptfs /home/squallltt/.Private /home/squallltt Key type: passphrase Passphrase: veryStrongPassphraseHere Cypher: twofish Key bytes: 32 Plaintext passthrough: no Filename encryption: yes Add signature to cache: yes
Then open file
vim and copy the last line to
The first line is originally from
/etc/mtab, the second line is to be added to
/etc/fstab with added
user,noauto,exec. Replace the
/home/.ecryptfs/squallltt/.Private /home/squallltt ecryptfs rw,nosuid,nodev,relatime,ecryptfs_sig=XXXXXXXXXXXXXXXX,ecryptfs_fnek_sig=XXXXXXXXXXXXXXXX,ecryptfs_cipher=twofish,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs 0 0 /home/.ecryptfs/squallltt/.Private /home/squallltt ecryptfs rw,user,noauto,exec,relatime,ecryptfs_fnek_sig=XXXXXXXXXXXXXXXX,ecryptfs_sig=XXXXXXXXXXXXXXXX,ecryptfs_cipher=twofish,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs 0 0
# touch /root/.ecryptfs/auto-mount # ecryptfs-wrap-passphrase /root/.ecryptfs/wrapped-passphrase Passphrase to wrap: [enter mount passphrase] Wrapping passphrase: [enter user login password] # umount /home/squallltt
Now, move the necessary files to desired place:
# mv /root/.ecryptfs /home/.ecryptfs/squallltt # chown -R squallltt:users /home/.ecryptfs/squallltt/.ecryptfs # ln -s /home/.ecryptfs/squallltt/.ecryptfs /home/squallltt/.ecryptfs
# pacman -S pam_mount
Now, proceed to edit file
# vim /etc/pam.d/system-auth #%PAM-1.0 auth required pam_env.so auth required pam_unix.so try_first_pass nullok #added 2 lines below auth optional pam_mount.so auth required pam_ecryptfs.so unwrap auth optional pam_permit.so account required pam_unix.so account optional pam_permit.so account required pam_time.so #added 2 lines below password optional pam_ecryptfs.so password optional pam_mount.so password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so #added 1 line below session optional pam_mount.so session required pam_limits.so session required pam_env.so session required pam_unix.so #added 1 line below session optional pam_ecryptfs.so unwrap session optional pam_permit.so
Now, mount the private home folder and copy the old content into new private home folder and encrypt them on the fly
# ecryptfs-insert-wrapped-passphrase-into-keyring /home/squallltt/.ecryptfs/wrapped-passphrase Passphrase: [enter user login password] # mount -i /home/squallltt # rsync -aP /home/squallltt.old/ /home/squallltt/
Then, unmount the encrypted directory and change user's home folder:
# umount /home/squallltt # usermod -d /home/squallltt squallltt
Finally, edit file
/etc/security/pam_mount.conf.xml. Here are some changes:
... <luserconf name=".pam_mount.conf.xml" /> ... <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> <mntoptions require="nosuid,nodev" /> --> ... <mntoptions require="" /> ... <mkmountpoint enable="1" remove="true" /> <lclmount>mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount> <volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/squallltt/.Private" mountpoint="/home/squallltt"/>
The full content of my
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="0" /> <!-- Volume definitions --> <!-- pam_mount parameters: General tunables --> <luserconf name=".pam_mount.conf.xml" /> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> <mntoptions require="nosuid,nodev" /> --> <mntoptions require="" /> <!-- requires ofl from hxtools to be present --> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <!-- <volume user="squallltt" fstype="auto" path="/dev/sda2" mountpoint="/home" options="fsck,noatime" /> --> <mkmountpoint enable="1" remove="true" /> <lclmount>mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount> <volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/squallltt/.Private" mountpoint="/home/squallltt"/> </pam_mount>
Reboot, once logged in, you should see your encrypted home directory auto mounted :)
By default, the Arch Linux ARM image for Raspberry Pi only has 2GB capacity. So in order to use the full capacity of my SD card (16GB), I have to re-size my root partition. Here is what I did.
First, backup my SD card using dd command
(this is done with the SD card plugged in to my laptop). Take note that sdc is my SD card device, you can find out what your SD card device name by using
lsblk -f command.
sudo dd if=/dev/sdc of=~/raspberrypi_backup_20130514.img
Show a list of partition available on your SD card:
Then the result should be something like this: (take note that: earlier I already created a data partition on
mmcblk0 mmcblk0p1 mmcblk0p2 mmcblk0p3
Then run the following command
# fdisk /dev/mmcblk0
p to list partition table. Here is the result:
d to delete partition
3. Take note that, we need to keep the
Boot partition which is number 1
Now I'm able to resize the main partition:
nto create a new partition
pto set it as
2for partition number.
First sector(which is the
Bootpartition + 1
Last sector: hit Enter to use the default.
wto write changes.
Next reboot the Raspberry Pi
Resize new boot root partition
Once the Raspberry Pi has booted, log in as root and run this command:
# resize2fs /dev/mmcblk0p2
sit back and relax until it's done.
Enjoy the full size of your new root partition :)
After spending a lot of time and effort tweaking Arch Linux on my main laptop, I decided to install it on a VirtualBox to be able to use it elsewhere, also to refresh myself on what I've done. In fact, I did another Arch Linux ARM installation on my Raspberry Pi with very similar configurations. I'm very happy that I now have a consistent working environment no matter where I go.
I have a short term memory so it would be nice to have a log of what I've done, just in case I need to refer to in the future. In this post, I describe some of the steps I used to install Arch Linux on a VirtualBox machine base on my preference and knowledge. Most of the steps here are adopted from ArchWiki.
Partition, choose GPT
# cgdisk /dev/sda
Install the base
# pacstrap /mnt base
# genfstab -U -p /mnt >> /mnt/etc/fstab # nano /mnt/etc/fstab
For my GPT-partitioned drive, GRUB need a BIOS Boot Partition
Setup GRUB BIOS on a GPT disk:
# modprobe dm-mod # grub-install --recheck /dev/sda # grub-mkconfig -o /boot/grub/grub.cfg
# pacman -S os-prober
Add new user and change password:
# user add -m -g users -s /bin/bash squallltt # passwd squallltt
Add new group squallltt for sudo:
# groupadd squallltt
Add user squallltt to group squallltt
# gpasswd -a squallltt squallltt
# pacman -S xorg
# pacman -S base-devel
# pacman -S virtualbox-guest-utils
Then, manually load the modules:
# modprobe -a vboxguest vboxsf vboxvideo
Create a file
# vi /etc/modules-load.d/virtualbox.conf
Then add these lines in that file:
vboxguest vboxsf vboxvideo
Add user squallltt to group
# gpasswd -a squallltt vboxsf
Add exception not to ask for password for those application in
$ sudo visudo -f /etc/sudoers
Then add this line:
squallltt ALL = PASSWD: ALL, NOPASSWD: /usr/bin/VBoxClient-all, /usr/sbin/ip, /usr/sbin/wpa_supplicant, /usr/sbin/dhcpcd, /usr/bin/truecrypt, /usr/bin/systemctl
Start sharing sharing service and synchronise guest date with host: add these below lines into ~/.xinitrc
sudo VBoxClient-all & sudo systemctl start vboxservice.service
Install the default environment for X:
# pacman -S xorg-twm xorg-xclock xterm
Install better(than the default) font
# pacman -S ttf-dejavu
After done the basic base, I can proceed to install other applications that I need:
- Openbox for window manager
- irssi for IRC client
- and many more...
As promised to myself earlier, I would switch completely from Linux Mint 14 to Arch Linux after finish my exam. In fact, I was too excited (or I should say "addicted") to Arch Linux that I installed it and did almost all the configuration stuffs directly on my laptop before finished the last paper.
The first Linux distro I've ever tried was Ubuntu. It was friendly and easy to use enough that it didn't scare me off. But after using it for awhile, I started to feel it is bloated in many ways. So I went on to look for a new distro. Linux Mint was a great replacement. It worked just fine on my machine. I have no complaint about it. After getting quite familiar with Linux Mint, I wanted to try something completely different, something simple and allows me to have full control over my system. Arch Linux turns out to be the best candidate in my opinion. I really like its philosophy and its awesome documentation. The tragedy was that I happened to know about it just before my exam period. Of course I didn't want to break my system and have nothing to do assignment and revision. So I promised to hold my breath and wait till the exams are over. But in the end, the call of curiosity and the hunger of knowledge made me couldn't wait any longer. I went ahead and installed it before the target date.
It's a great journey to learn Linux by getting my hand dirty in the terminal with Arch Linux. Really, I'm still pretty much a newbie after using Linux for about half a year, but after going through all the installing steps and solving many kind of problems from grub, Wi-Fi not working, no sound, video driver not working properly (this is the most irritating thing I have with NVIDIA Optimus, luckily the Bumblebee project works just nice in my case)... I now have a better understanding on how Linux works (still I'm a newbie to the wonderful world of Linux).
My aim is to build a simple and effective environment for my development and study. I chose Openbox (written by Dana Jansens) as a window manager due to its highly configurable capability and its simplicity. And so Openbox turned out to be an awesome choice to combine with the Arch base. Next thing was to choose a compositor. I don't want to install other fancy eye-candy stuffs like Compiz, Conky, Cairo Compmgr etc... I just wanna have a little bit of elegant desktop look. So I chose Xcompmgr. Those were pretty much what I need as a base. Then I went on to install other applications that I prefer, adjust the theme, appearance, and do a lot of configurations to optimize my system.
Still, there are plenty of other things that I would need to do for my Arch machine. But right now I'm very happy with what I've done. I really love the idea of building my own operating system from scratch (of course this can't be compared to Gentoo) because by doing so, I've learned so much more knowledge. Arch Linux gives me exactly what I want, no more, no less (like other Archers have been saying).
The move to Arch is the move of FREEDOM.
The Arch way: KISS - Keep It Simple, Stupid.
All my Bayes are belong to Arch Linux.