Qubes OS Installation - Detached encrypted boot and header

Community Guides
49
Progress

Part 2 of Playing with qubes

Is a rewrite of my old notes, Qubes OS Installation - Detached encrypted boot and header

This will cover how you use it with xfs and btrfs on dom0

This is UEFI based only.

  • Prerequisite :

    • QubesOS Installation Medium.
    • 2 Drives for separated Root and Boot/EFI Partition, and we would call them with :
      • Root = /dev/nvme0n1
      • Boot = /dev/sda

  • After booting into installation in language section, press ctrl + alt + f2 to enter tty2

  • Format drive we would use for the installation.

    • dd if=/dev/urandom of=/dev/nvme0n1 bs=1M status=progress

    • dd if=/dev/urandom of=/dev/sda bs=1M status=progress

  • Create Boot, EFI, Header Partition.

    • sgdisk -n 0:0:+200MiB -t 0:ef02 /dev/sda

    • sgdisk -n 0:0:+200MiB -t 0:ef00 /dev/sda

    • sgdisk -n 0:0:+16MiB -t 0:8309 /dev/sda

XFS

  • Create custom Luks configuration.

    • cryptsetup -c aes-xts-plain64 -h sha512 -s 512 -y -i 10000 luksFormat /dev/nvme0n1

    You may want to use -i 1 (iterations 1ms) to speed up decrypting process for practice.

    • cryptsetup luksOpen /dev/nvme0n1 luks-root

    • pvcreate /dev/mapper/luks-root

    • vgcreate qubes_dom0 /dev/mapper/luks-root

    • lvcreate -L 8G -n swap qubes_dom0

    You might want to read 8.2. Recommended system swap space if you’re not sure about swap space

    • lvcreate -T -L 40G qubes_dom0/root-pool

    • lvcreate -T -l +90%FREE qubes_dom0/vm-pool

    • lvcreate -V30G -T qubes_dom0/root-pool -n root-pool

    • lvs

    To see how much space you have in the vm-pool, and use it to create vm lv.

    • lvcreate -V800G -T qubes_dom0/vm-pool -n vm

    • mkfs.xfs /dev/qubes_dom0/vm

    • mkswap /dev/mapper/swap

BTRFS

  • Create Root and Swap Partition.

    • sgdisk -n 0:0:+8GiB -t 0:8200 /dev/nvme0n1

    • sgdisk -n 0:0:0 -t 0:8304 /dev/nvme0n1

  • Create custom Luks configuration.

    • cryptsetup -c aes-xts-plain64 -h sha512 -s 512 -y -i 10000 luksFormat /dev/nvme0n1p1

    • cryptsetup -c serpent-xts-plain64 -h sha512 -s 512 -y -i 10000 luksFormat /dev/nvme0n1p2

    • cryptsetup luksOpen /dev/nvme0n1p1 luks-root

    • cryptsetup luksOpen /dev/nvme0n1p2 luks-swap

    • mkfs.btrfs --csum blake2b -L qubes_dom0 -d single /dev/mapper/luks-root

    • mkswap /dev/mapper/swap

Proceed GUI Installation

Video / Pict ?

Begin installation.

  • After installation go back to tty2

    • cp -r /usr/lib/grub/x86_64-efi /mnt/sysroot/boot/efi/EFI/qubes/

    • chroot /mnt/sysroot/

    • mount -oremount,ro /boot

    • install -m0600 /dev/null /tmp/boot.tar

    • tar -C /boot --acls --xattrs --one-file-system -cf /tmp/boot.tar .

    • umount /boot/efi

    • umount /boot

  • Reformat Boot Partition

    • cryptsetup -c twofish-xts-plain64 -h sha512 -s 512 -y -i 1 --use-random --type luks1 luksFormat /dev/sdb1

    • uuidR=“$(blkid -o value -s UUID /dev/nvme0n1)”

    • uuidB=“$(blkid -o value -s UUID /dev/sda1)”

    • cryptsetup luksOpen /dev/sda1 luks-$uuidB

    • mkfs.xfs /dev/mapper/luks-$uuidB

    • xfs_admin -U $uuidB /dev/mapper/luks-$uuidB

  • Configure fstab

    • sed -i ‘s/dev/mapper/root/dev/mapper/luks-’$uuidR’\g’ /etc/fstab

    • sed -i ‘s\UUID=F4N*/dev/mapper/luks-’$uuidR’\g’ /etc/fstab

    Replace F4N with First 4 UUID Number of /dev/sda1

    • mount -v /boot

    • tar -C /boot --acls --xattrs -xf /tmp/boot.tar

    • mount /dev/sda1 /boot/efi

  • Configure keys

    • mkdir -m0700 /etc/keys

    • ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync )

    • ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/boot.key conv=excl,fsync )

    • cryptsetup luksAddKey /dev/nvme0n1 /etc/keys/root.key

    • cryptsetup luksAddKey /dev/sda1 /etc/keys/boot.key

    • cryptsetup luksHeaderBackup /dev/nvme0n1 --header-backup-file header

    • dd if=/header of=/dev/sda3 bs=16M count=1 status=progress

    • shred -uvz /header

    • shred -uvz /tmp/boot.tar

  • Configure Crypttab

    • echo -e “luks-$uuidR /dev/nvme0n1 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sda3\nluks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1” > /etc/crypttab

  • Configure GRUB

    • echo “GRUB_ENABLE_CRYPTODISK=y” >> /etc/default/grub

    • sed btrfs driver # TODO

    • grub2-mkconfig -o /boot/efi/EFI/qubes.cfg

  • Configure Dracut

    • echo -e ‘add_dracutmodules+=" crypt “\ninstall_items+=” /etc/keys/root.key /etc/keys/boot.key ”’ > /etc/dracut.conf.d/qubes.conf

    • sed -i ‘s?block_uuid.map"?block_uuid.map"\necho “/dev/nvme0n1 ‘$uuidR’\n/dev/disk/by-uuid/’$uuidB’ ‘$uuidB’" > “${initdir}/etc/block_uuid.map”?g’ /usr/lib/dracut/modules.d/90crypt/module-setup.sh

    • sed -i ‘s?$initdir/etc/crypttab?$initdir/etc/crypttab\necho “luks-’$uuidR’ /dev/nvme0n1 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sda3\nluks-‘$uuidB’ UUID=‘$uuidB’ /etc/keys/boot.key luks,key-slot=1” > $initdir/etc/crypttab?g’ /usr/lib/dracut/modules.d/90crypt/module-setup.sh

    • dracut -vf /boot/initramfs-*

    • exit

    • umount /mnt/sysroot/boot/efi

    • umount /mnt/sysroot/boot

    • umount -l /mnt/sysroot

    • umount -l /mnt/sysimage

    • swapoff /dev/qubes_dom0/swap

    • vgchange -a n qubes_dom0

    • cryptsetup luksClose /dev/mapper/luks-root

    • cryptsetup luksClose /dev/mapper/luks-*

    • wipefs -a /dev/nvme0n1

    • reboot

  • Will tested tomorrow on my machine
  • Check for typo
  • Record video how to do this (will use vm).

I will try later, I remember in my first research, it failed.

don’t bother with the error, just proceed you’ll be fine, and you may want to follow the progress above instead of #1, and look for #1 or in btrfs thread for the image.