Qubes OS Installation - BTRFS w/ Detached encrypted boot and header

Continuing the discussion from Qubes OS Installation - Detached encrypted boot and header:

In above thread I use xfs with uefi + gpt.
In here I will using mbr + bios with btrfs blake2 checksum.

Keep in mind that below are disk i used in the tutorial, you can use 2 flashdrive (1 boot, 1 header) + 1 hdd or whatever you want.

and btw I don’t detach swap partition, well i think you should. Do write out to /dev/sdb3 if you want

Take this as additional challenge :slight_smile:

I use different chipper for each partition; root with aes-xts, swap with serpent-xts and boot with twofish-xts, you can go with aes-xts for better performance.

/dev/sda = system
/dev/sdb = flashdrive

Don’t forget to change boot order, so flashdrive is booting first.

Please watch out any space, slash, periode in command issue / files IT REALLY MATTER


  • After booting into installation in language section, press ctrl + alt + f2

—# WARNING CONFIRM YOUR DISK FIRST BEFORE EXECUTING COMMAND

[anaconda /] dd if=/dev/urandom of=/dev/sda bs=1M status=progress
[anaconda /] dd if=/dev/urandom of=/dev/sdb bs=1M status=progress

Using /dev/urandom will take longer than /dev/zero but more secure.

[anaconda /] fdisk /dev/sda
—# root partition
n
p
1
(enter)
+36GiB

—# swap partition
n
p
2
(enter)
(enter) #4GiB for swap

w


  • Create 2 or 3 partition in usb drive.

[anaconda /] fdisk /dev/sdb
—# boot partition
n
p
1
(enter)
+1GiB

—# header partition
n
p
2
(enter)
+30MiB

—# you can create 3 partition for additional use (whatever it is) / just use 2 partition
n
p
3
(enter)
(enter)

w


My block device after partitioning :


—# I use iter time 1 for speeding up decrypt process you should increase it in real installation, see 5.13 for details.
[anaconda /] cryptsetup -c aes-xts-plain64 -h sha512 -s 512 -y -i 1 --use-random luksFormat /dev/sda1
[luks prompt /] YES
[luks prompt /] (enter password)
[luks prompt /] (verify password)
[anaconda /] cryptsetup -c serpent-xts-plain64 -h sha512 -s 512 -y -i 1 --use-random luksFormat /dev/sda2
[luks prompt /] YES
[luks prompt /] (enter password)
[luks prompt /] (verify password)
[anaconda /] cryptsetup luksOpen /dev/sda1 root
[luks prompt /] (enter password)
[anaconda /] cryptsetup luksOpen /dev/sda2 swap
[luks prompt /] (enter password)

[anaconda /] mkfs.btrfs --csum blake2b -L qubes_dom0 -d single /dev/mapper/luksroot
[anaconda /] mkswap /dev/mapper/swap


  • Back to gui with ctrl + alt + f6.
  • Choose language, timezone, user, and lastly storage.
  • Click refresh on bottom right and rescan disk.
  • Select disk sda and sdb, storage configuration is Advanced Custom (Blivet-GUI) click done.

—# /dev/sda

  • Right click qubes_dom0 > new > name = root, mountpoiont = /

—# /dev/sdb

  • Right click on sdb1 > edit > format to ext2 / ext4 and mountpoint to /boot leave name to none.

  • Click done, and this is the Summary of Changes

  • Click done and begin installation.
  • After completion, switch back to shell with ctrl + alt + f2

My block device after installing :


[anaconda /] chroot /mnt/sysroot/
[anaconda /] mount -oremount,ro /boot
[anaconda /] install -m0600 /dev/null /tmp/boot.tar
[anaconda /] tar -C /boot --acls --xattrs --one-file-system -cf /tmp/boot.tar .
[anaconda /] umount /boot
—# WARNING CONFIRM YOUR DISK FIRST BEFORE EXECUTING COMMAND
[anaconda /] dd if=/dev/urandom of=/dev/sdb1 bs=1M
[anaconda /] cryptsetup -c twofish-xts-plain64 -h sha512 -s 512 -y -i 1 --use-random --type luks1 luksFormat /dev/sdb1
[luks prompt /] YES
[luks prompt /] (enter password)
[luks prompt /] (verify password)
—#
[anaconda /] uuidR="$(blkid -o value -s UUID /dev/sda1)" # root device
[anaconda /] uuidB="$(blkid -o value -s UUID /dev/sdb1)" # boot device
[anaconda /] uuidS="$(blkid -o value -s UUID /dev/sda2)" # swap device
[anaconda /] cryptsetup luksOpen /dev/sdb1 luks-$uuidB
[anaconda /] mkfs.ext2 -m0 -U $uuidB /dev/mapper/luks-$uuidB


—# Configure fstab

  • Change UUID=…on boot and root line to /dev/mapper/luks-(your $uuidR and $uuidB)
  • Add swap and leave the rest to default value


[anaconda /] mount -v /boot
[anaconda /] tar -C /boot --acls --xattrs -xf /tmp/boot.tar

—# Configure grub
[anaconda /] echo “GRUB_ENABLE_CRYPTODISK=y” >> /etc/default/grub

in GRUB_CMDLINE_LINUX delete all of rd.luks… then add cryptdevice=$uuidB:luks-$uuidB in my case this is my final grub_cmdline_linux line :

GRUB_CMDLINE_LINUX="cryptdevice=aa7332a5-e4ac-442c-9328-cdbd4a0b42e8:luks-aa7332a5-e4ac-442c-9328-cdbd4a0b42e8 plymouth.ignore-serial-consoles i915.alpha_support=1 rd.driver.pre=btrfs rhgb quiet"

—# create luks keys so we dont have to enter any password after grub
[anaconda /] mkdir -m0700 /etc/keys
[anaconda /] ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync )
[anaconda /] ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/boot.key conv=excl,fsync )
[anaconda /] ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/swap.key conv=excl,fsync )
[anaconda /] cryptsetup luksAddKey /dev/sda1 /etc/keys/root.key
[luks prompt /] (system password)
[anaconda /] cryptsetup luksAddKey /dev/sda2 /etc/keys/swap.key
[luks prompt /] (swap password)
[anaconda /] cryptsetup luksAddKey /dev/sdb1 /etc/keys/boot.key
[luks prompt /] (boot password)
[anaconda /] cryptsetup luksHeaderBackup /dev/sda1 --header-backup-file header
—# WARNING CONFIRM YOUR DISK FIRST BEFORE EXECUTING COMMAND
[anaconda /] dd if=/header of=/dev/sdb2 bs=16M count=1 status=progress
[anaconda /] shred -uvz /header
[anaconda /] shred -uvz /tmp/boot.tar

—# Configure crypttab
[anaconda /] echo -e “luks-$uuidR /dev/sda1 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sdb2 \nluks-$uuidS UUID=$uuidS /etc/keys/swap.key luks,key-slot=1 \nluks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1” > /etc/crypttab


—# Configure dracut
[anaconda /] echo -e “add_dracutmodules+=" crypt " \ninstall_items+=" /etc/keys/*.key “” > /etc/dracut.conf.d/misc.conf

[anaconda /] vi /usr/lib/dracut/modules.d/90crypt/module-setup.sh

—# write a persistence device at /etc/block_uuid.map in generated initramfs
echo “/dev/sda1 $uuidR
/dev/disk/by-uuid/$uuidB $uuidB
/dev/disk/by-uuid/$uuidS $uuidS” > “${initdir}/etc/block_uuid.map”

—# write a persistence device at /etc/crypttab in generated initramfs (have try inject /etc/crypttab into initramfs but it doesn’t match, so we’ll rewrite again)

echo “luks-$uuidR /dev/sda1 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sdb2
luks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1
luks-$uuidS UUID=$uuidS /etc/keys/swap.key luks,key-slot=1” > $initdir/etc/crypttab


[anaconda /] grub2-install --recheck /dev/sdb
[anaconda /] grub2-mkconfig -o /boot/grub2/grub.cfg
[anaconda /] dracut -v -f /boot/initramfs-*
[anaconda /] exit
[anaconda /] umount /mnt/sysroot/boot
[anaconda /] umount -l /mnt/sysroot
[anaconda /] umount -l /mnt/sysimage
[anaconda /] swapoff /dev/mapper/luksswap
[anaconda /] cryptsetup luksClose /dev/mapper/luksroot
[anaconda /] cryptsetup luksClose /dev/mapper/luks-$uuidB
[anaconda /] cryptsetup luksClose /dev/mapper/luksswap
[anaconda /] cryptsetup luksErase /dev/sda1
[luks prompt /] YES
[anaconda /] wipefs -a /dev/sda1


My block device after configure everything :

[anaconda /] reboot


—# Screenshot

After update, everything still works.

6 Likes

Send me your btc wallet address and I am buying you dinner for this. Thank you.

1 Like

@adw i couldnt find this as enhancement issue, but it sounds like a great feature, other OS (SuSe Tumbleweed, Endeavour OS [arch distro]) have this a s default. probably anti-evil-maid needs to be adjusted. Should i open one with link to these posts or would that just spam the issue tracker?

I honestly don’t know how feasible it would be to integrate this into the installer. It seems highly likely that it would be a help wanted issue. TBH, it seems like one of those issues that’s likely to sit in the tracker for years without any volunteers, but you never know. Maybe someday. :slight_smile: Bearing in mind those caveats, feel free to open an enhancement issue, if you like!

i am more of an avid user and not able to put any bounty on anything.
thank you for your estimation and as long as there is no majority who would think it could contribute security i’ll pass on opening new stale issues :slight_smile:

What do you mean by those os has this feature as default? you mean they did detach header when installing ? or just encrypt everything including boot ?

yeah the encrypted boot partition. sorry for the mixup.