Trusted Personal Computers
The Hydra Suite was made with the Trusted Personal Computer (TPC) (portuguese translation) paradigm as it's starting point.
This guide documents the lifecycle of a TPC storage device, or a "TPS Cartridge":
Cartridge = TPS = Trusted Personal Storage (like and SSD, microSD or M.2)
The idea is that a number of TPCs can have interchangeable cartridges, as long as each cartridge has an unique name.
Parameters
Start by running the following commands in your terminal, adjusting to your case:
export HYDRA="nome-da-hydra"
export VOLNAME="nome-do-disco"
export DOMAIN="dominio.example.org"
export DEVICE="/dev/sdb"
export USER=`whoami`
export DEST=/media/$VOLNAME
export CONFIG_FOLDER="`hydra $HYDRA folder`"
if [ "$USER" != "root" ]; then
export SUDO="sudo"
fi
Provisioning a new cartridge
Random data
If you want to pre-fill your disk with random data, proceed as follows:
$SUDO dcfldd if=/dev/urandom of=$DEVICE
This can be done in a NAS as it may take days to finish, and the rest of the procedures from this document can be done from another TPC.
Configuration
If non-existing, create entries and keys:
hydra $HYDRA newnode $VOLNAME tpc
Customize:
vim $CONFIG_FOLDER/config/provision/$VOLNAME.conf
vim $CONFIG_FOLDER/puppet/config/node/$VOLNAME.$DOMAIN.yaml
vim $CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
Secrets
Proceed adding other passwords and secrets at
$CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN, make sure to
encode them with hiera-yaml:
hydra $HYDRA eyaml $VOLNAME encrypt -q -o block -p -l some::password
If you already have the secret somewhere, you can use a construction like this which already adds the eyaml block into the hiera config file:
keyringer $HYDA decrypt /path/to/some/secret | \
tr -d '\n' | \
hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::password >> \
$CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
You can also ensure a fresh random passphrase is used, using your favourite generator like this:
head -c ${1:-20} /dev/urandom | base64 | \
tr -d '\n' | \
hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \
$CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
For passwd(5) and shadow(5) hashed passphrases, use something like this:
mkpasswd -m sha-512 | \
tr -d '\n' | \
hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \
$CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
Or this, for a random passphrase:
head -c ${1:-20} /dev/urandom | base64 | \
mkpasswd -m sha-512 --stdin | \
tr -d '\n' | \
hydra $HYDRA eyaml $VOLNAME encrypt -q -o block --stdin -l some::random:password >> \
$CONFIG_FOLDER/puppet/config/secrets/node/$VOLNAME.$DOMAIN.yaml
Installation
The proceed with the system installation, which should create all volumes in the TPS and setup the base Operating System:
hydra $HYDRA provision $VOLNAME
Metadata
After installation, make sure to save metadata from the disk layout and LUKS headers, which can be useful during recovery procedures.
-
Turn off the cartridge, and then plug it again in the TPC you're using. This will make sure device information is properly refreshed.
-
Write down UUIDS, models and serials from the new disk. Examples:
lsblk $DEVICE -n -o +UUID | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/lsblk udevadm info --query=all --name=$DEVICE | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/udevadm # For non-USB and non-microSD disks only $SUDO hdparm -I $DEVICE | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/hdparm $SUDO smartctl -i $DEVICE | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/smartctl -
Save partition tables, the LUKS header and other relevant information:
$SUDO LC_ALL=C sfdisk -d $DEVICE | keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/sfdisk $SUDO cryptsetup luksDump /dev/mapper/$VOLNAME-root | keyringer $HYDRA encrypt nodes/houdini.fluxo.info/luksDump-root $SUDO cryptsetup luksDump /dev/mapper/$VOLNAME-swap | keyringer $HYDRA encrypt nodes/houdini.fluxo.info/luksDump-swap $SUDO cryptsetup luksHeaderBackup /dev/mapper/$VOLNAME-root --header-backup-file luksHeaderBackup-root $SUDO chown $(whoami) luksHeaderBackup-root keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/luksHeaderBackup-root luksHeaderBackup-root chmod +w luksHeaderBackup-root wipe luksHeaderBackup-root
Other security measures
- Optionally, configure ATA passphrases for the new disk. If so, make sure to
save the passphrase in the keyring:
keyringer $HYDRA encrypt nodes/$VOLNAME.$DOMAIN/ata
Mounting
Use the following whenever you need to mount the cartridge in another system:
hydractl mount-media $VOLNAME
This will make the volume available at /media/$VOLNAME.
Initial user
These steps are needed to setup the encrypted home folder (the second level of encryption) before continuing the provisioning.
Setting up home encryption
If you're running this in an existing hydra-compatible TPC but you don't have your home folder encrypted, backup your data and then proceed running
hydractl ecryptfs-home
Syncing the user and encrypted home in the new cartridge
Then, with the new TPS cartridge mounted (hydractl mount-media $VOLNAME), do
the following to replicate your user and homedir there:
$SUDO chroot $DEST adduser $USER
$SUDO chroot $DEST usermod -a -G sudo $USER
$SUDO chroot $DEST apt install ecryptfs-utils -y
$SUDO mkdir -p $DEST/mnt/crypt/home
$SUDO mv $DEST/home/$USER $DEST/mnt/crypt/home/$USER
$SUDO ln -s -t $DEST/home /mnt/crypt/home/$USER/
$SUDO ln -s -t $DEST/mnt/crypt/home/$USER /home/.ecryptfs/$USER/.ecryptfs
$SUDO ln -s -t $DEST/mnt/crypt/home/$USER /home/.ecryptfs/$USER/.Private
$SUDO chroot $DEST chown -R $USER: /mnt/crypt/home/$USER
The procedure may be adapted if you're already running the system from the new TPS
and is logged in there as root.
Syncing data
From another system, and with the cartridge mounted:
hydractl sync-tpc $VOLNAME
This might involve a lot of data being transmitted. If you want sync-tpc to
ignore all your QEMU virtual machine images hosted at /var/cache/quemu, setup
a .sync-tpc-ignore like the following:
$SUDO mkdir -p $DEST/var/cache/qemu
$SUDO chown $USER: $DEST/var/cache/qemu
touch $DEST/var/cache/qemu/.sync-tpc-ignore
Check the backups for additional information.
Unmounting
Now that basic provisioning is completed, you can unmount the cartridge.
From another system, and with the cartridge mounted:
hydractl umount-media $VOLNAME
Booting
The current provisioning procedure (as of 2024-02) may yield into a partially bootable system, and may need some additional manual steps right after installation:
hydractl mount-media $VOLNAME
sudo chroot $DEST
update-initramfs -v -u
hydractl umount-media $VOLNAME
During boot, at the (initramfs) prompt, type this to successfully
unlock the encrypted volumes:
cryptsetup luksOpen /dev/mapper/volumename-root root
cryptsetup luksOpen /dev/mapper/volumename-swap swap
^Ctrl-D
Where volumename is $VOLNAME.
Then, in the running system, do:
sudo update-initramfs -v -u
With these steps, the system's boot procedure was fixed.
But there are fixes be done at hydractl provision to produce fully working
installations.
Deploy
Now it's time to boot the new system, log in with your user and deploy the complete configuration.
The following command will take care of the deployment:
hydra $HYDRA deploy localhost
Archives and backups
You can use a hydra-compatible archive/backup disk to setup working copies for existing archives:
export MEDIA=backup-disk-name
hydractl mount-media $MEDIA
hydractl sync-backups $MEDIA
hydractl sync-media $MEDIA
hydractl sync-media-initremotes localhost boxes hostname-nas1 hostname-nas2
Then add manually other archive remotes.
Compile
Make sure other nodes have some information on your cartridge by compiling collected data:
hydra $HYDRA compile
Adding a new hardware in the TPC pool
- Proceed with homologating a new unit.
- Provision, deploy, sync-media, sync-vms etc.
- Add the devices' network MAC Addresses at
70-persistent-net.rules, then make sure to sync this in the other cartridges.
Decommissioning
To be documented.
Additional references
Implementation
These are implementation-specific references, especially issues, fixes and workarounds found while developing procedures for TPCs.
UEFI
Overview:
- UEFI boot: how does that actually work, then? | AdamW on Linux and more
- Unified Extensible Firmware Interface - ArchWiki
- Linux on UEFI: A Quick Installation Guide
Coreboot versus UEFI:
UEFI versus Legacy:
Lenovo:
- lenovo - UEFI or Legacy? Which is advised and why? - Ask Ubuntu
- Legacy BIOS boot support removed in Lenovo's 2020 products
Issues:
Boot loader
Geral:
- GNU GRUB Manual 2.06: Installing GRUB using grub-install
- GRUB - ArchWiki
- GRUB/Tips and tricks - ArchWiki
(Re)installation:
- GrubEFIReinstall - Debian Wiki
- Chapter 13. Encrypting block devices using LUKS Red Hat Enterprise Linux 8 | Red Hat Customer Portal
Full Disk Encryption (FDE) support:
Recovery:
Issues:
- grub2 - UEFI Grub fails to boot encrypted Ubuntu 21.04 system: can't find command cryptomoun - Ask Ubuntu
- PSA: GRUB fails to detect the fact that / and /boot are LUKS encrypted : archlinux
- grub2 - How do I get Grub to automatically run cryptomount to load its config file (encrypted boot) - Unix & Linux Stack Exchange
- #917117 - grub-efi-amd64-signed: doesn't mount cryptodisk - Debian Bug report logs
- GRUB + LUKS2 not asking for password
- FS#40029 : [grub] ${cmdpath} expansion in GRUB shell is wrong
- linux - How to reconfigure grub - Unix & Linux Stack Exchange
- grub2 - wrong grub prefix (efi)
grub-installandupdate-grubdoesn't fix it - Unix & Linux Stack Exchange - #925309 - Wrong prefix directory hardcoded in signed GRUB image - Debian Bug report logs
- grub2 - grub doesn't load grub.cfg automatically - Ask Ubuntu
SecureBoot
- SecureBoot - Debian Wiki
- DEBAMAX — Debian expertise — Blog — An overview of Secure Boot in Debian
- Debian -- GRUB2 UEFI SecureBoot vulnerabilities - 2021
- SecureBoot/Discussion - Debian Wiki
- SecureBoot/VirtualMachine - Debian Wiki
- Frequently asked questions (FAQ) | Qubes OS
- GitHub - osresearch/safeboot: Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support
- Debian-GNU-Linux-Profiles/build-secureboot-trustchain.md at master · hardenedlinux/Debian-GNU-Linux-Profiles · GitHub
- Secure Boot with GRUB 2 and signed Linux images and initrds
Evil Maid Attack
- Evil maid attack - Wikipedia
- Anti-Evil Maid with UEFI and Xen - Brendan Kerrigan, Assured Information Security - Platform Security Summit 2018
- F-Secure Whitepaper - Evil Maid Guide (English).pdf
- UEFI threats moving to the ESP: Introducing ESPecter bootkit | WeLiveSecurity
- disk encryption - Encrypting the /boot partition in a Linux system can protect from an Evil Maid Attack? - Information Security Stack Exchange
- seagl-2017.pdf
- GitHub - kritjo/Techniques-for-Secure-System-Boot: Paper for mid-semester exam in IN2120 at Institute for Informathics, University of Oslo. Ended up scoring 98,8%.
- GitHub - xmikos/cryptboot: Encrypted boot partition manager with UEFI Secure Boot support
- Arch Linux Full-Disk Encryption Installation Guide [Encrypted Boot, UEFI, NVMe, Evil Maid] · GitHub
- GitHub - QubesOS/qubes-antievilmaid: Qubes component: antievilmaid
- Secure Boot, TPM2, LUKS, and a potential security hole in the Wiki / GNU/Linux Discussion / Arch Linux Forums
- luks - Defending against the evil maid, how to handle removal of the /boot partition - Unix & Linux Stack Exchange
- Multiple encryption - Wikipedia
Howtos
- Creating a BIOS/GPT and UEFI/GPT Grub-bootable Linux system - Philipp's Tech Blog
- How to Install GRUB2 with EFI Support | Timesys LinuxLink
- Real full disk encryption using GRUB on Arch Linux for BIOS and UEFI
- Real full disk encryption using GRUB on Debian GNU/Linux for BIOS
- Real full disk encryption using GRUB on Void Linux for BIOS
- Install Debian with Debootstrap + Grub EFI · GitHub
- Debian: Debootstrap Install (aka Installing Debian “the Arch Way”) – LeCorbeau's Vault
- Instructions how to install Debian using debootstrap · GitHub
TRIM
- Trim (computing) - Wikipedia
- fstrim.pdf
- Enable periodic TRIM - including on a LUKS partition - Tech Knowledge Base - jaytaala.com Confluence
- How to properly activate TRIM for your SSD on Linux: fstrim, lvm and dm-crypt | synaptic fault
- ssd - fstrim doesn't seem to trim a partition that uses lvm and dm-crypt - Unix & Linux Stack Exchange
- ssd - Trim with LVM and dm-crypt - Unix & Linux Stack Exchange
- [SOLVED] fstrim with LVM on LUKS: discard operation not supported / Installation / Arch Linux Forums
- Linux/LUKS/Full Disk Encryption: How can I mitigate SSD/flash media security security risk caused by unreliable physical deletion? - Information Security Stack Exchange
- linux - How to enable discards on encrypted root - Unix & Linux Stack Exchange
- SSD - Gentoo Wiki
- Solid state drive - ArchWiki
- TRIM on LVM on LUKS on SSD – Just another Linux geek
- Possible to get SSD TRIM (discard) working on ext4 + LVM + software RAID in Linux? - Server Fault
- Discard (TRIM) with KVM Virtual Machines... in 2020! - Chris Irwin's Blog
- Implementing Linux fstrim on SSD with software md-raid - Server Fault
- Debian, QEMU, libvirt, qcow2 and fstrim – #Jan
- Discard (TRIM) with KVM Virtual Machines... in 2020! - Chris Irwin's Blog
- Discard (TRIM) with KVM Virtual Machines - Chris Irwin's Blog
- TRIM Support on KVM Virtual Machines – ZenCoffee Blog – random notes, guides, and thoughts…
- #763318 - qemu-kvm: discard='unmap' not working for qcow2 disks on virtio-scsi controller - Debian Bug report logs
- linux - Qemu TRIM and discard on a physical SSD device - Server Fault
- Milan Broz's blog: TRIM & dm-crypt ... problems?
Swap
- Swap (and hibernation) on SSD in 2019?
- Why are swap partitions discouraged on SSD drives, are they harmful? - Ask Ubuntu
- Swap (and hibernation) on SSD in 2019? - Ask Ubuntu
- Swap and SSD linux - Unix & Linux Stack Exchange
Cryptsetup
- Debian Cryptsetup docs – README
- partitioning - Should I use LUKS1 or LUKS2 for partition encryption? - Ask Ubuntu
- #671037 - can not change target name of root in /etc/crypttab - Debian Bug report logs
- Debian -- Details of package cryptsetup-initramfs in bullseye