Qubes OS Installation - Detached encrypted boot and header revisions

Go back to topic: Qubes OS Installation - Detached encrypted boot and header

v7 anchor; v7 full version
v6 anchor; v6 full version
v5 anchor; v5 full version
Fix typo v4 anchor; v4 full version
v3 anchor; v3 full version
add exit after umount /mnt/sysroot/boot v2 anchor; v2 full version

Revision #7

Edited on: 2023-09-07
Edited by user: deeplow

Revision #6

Edited on: 2022-02-16
Edited by user: deeplow

	```
/dev/sda = flashdrive	/dev/sda = flashdrive ```
	```
[anaconda /] dd if=/dev/urandom of=/dev/sda bs=1M status=progress Using /dev/~~urandom~~ will take longer than /dev/~~zero~~ but more secure.	[anaconda /] dd if=/dev/urandom of=/dev/sda bs=1M status=progress ``` Using `/dev/urandom` will take longer than `/dev/zero` but more secure.
	```
Y	Y ```
	```
[luks prompt /] (enter password)	[luks prompt /] (enter password) ```
	```
	```
	```
	```
	```
	```
[anaconda /] mkfs.ext4 /dev/qubes_dom0/vm	``` [anaconda /] mkfs.ext4 /dev/qubes_dom0/vm ```
---	--- ```
	```
	```
	```
	```
	```
	```
	```
---	--- ```
	``` [anaconda /] vi /usr/lib/dracut/modules.d/90crypt/module-setup.sh
[anaconda /] vi /usr/lib/dracut/modules.d/90crypt/module-setup.sh
	```
/dev/disk/by-uuid/$uuidB $uuidB" > "{initdir}/etc/block_uuid.map"	/dev/disk/by-uuid/$uuidB $uuidB" > "{initdir}/etc/block_uuid.map" ```
	```
luks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1" > $initdir/etc/crypttab	luks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1" > $initdir/etc/crypttab ```
---	--- ```
[anaconda /] reboot	[anaconda /] reboot ```

Revision #5

Edited on: 2021-10-27
Edited by user: fsflover

Revision #4

Edited on: 2021-09-09
Edited by user: 51lieal
Edit reason: Fix typo

[anaconda /] lvcreate -~~V55~~.~~83G~~ -T qubes_dom0/vm-pool -n vm

[anaconda /] lvcreate -V19.9G -T qubes_dom0/vm-pool -n vm

Revision #3

Edited on: 2021-09-09
Edited by user: 51lieal

Please watch out any space, slash, periode in ~~command issue /~~ files IT REALLY MATTERS ~~- Installation is~~ using ~~2 drive~~, 1 ~~for system and other for detached~~ boot, header	Used device in testing and confirm is worked : windows vmware (host using old pc) and my laptop. both are using uefi. Keep in mind that below are disk i used in the tutorial, you can use 2 flashdrive (1 boot, 1 header) + 1 hdd or whatever you want.
- After booting into installation in language section, press ctrl + alt + f2 ---	Please watch out any space, slash, periode in command issue / files IT REALLY MATTER --- - After booting into installation in language section, press ctrl + alt + f2 ---# WARNING CONFIRM YOUR DISK FIRST BEFORE EXECUTING COMMAND
Y ---# I use iter time 1 for speeding up decrypt process you should increase it in real installation, see ~~luks iter~~-~~time~~ for details.	Y --- ---# I use iter time 1 for speeding up decrypt process you should increase it in real installation, see [5.13](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#5-security-aspects) for details.
---#
[luks prompt /] (enter password) ---#	[luks prompt /] (enter password) ---
vm-pool 55.~~83g~~	vm-pool 19.90g
[anaconda /] mkfs.ext4 /dev/qubes_dom0/vm ---#	[anaconda /] mkfs.ext4 /dev/qubes_dom0/vm ---
Your disk tree is must same with the picture below and should have UNKNOWN fs except qubes_dom0-vm (if you not wipe your disk clearly, it's okay (caution for security do full wipe i did not do so i can make it quick in vvmware) and there'll maybe some system extension left) ![~~QubesOS~~-2021-09-06-20-21-28\|666x500](upload://~~bVeeibnbSjMNw6TPuRP1Uhvycyd~~.png) ---#	![Qubes OS-2021-09-10-02-05-37\|666x500](upload://fumTZsUeJ0b4bfn7ohCPx2JyEuk.png) ---# reformat disk
---# - ~~Leave~~ qubes_dom0-vm and sda3 untouched. ![~~QubesOS~~-2021-09-06-20-22-04\|666x500](upload://~~y1hEIXRJgqNCPEf0rwdgpvEYz1H~~.png) - Click done and begin installation. ~~What we are doing before is Custom Installation with detached boot you may reboot after complete install if you think this is enough.~~	---# leave qubes_dom0-vm and sda3 untouched. ![Qubes OS-2021-09-10-02-06-23\|666x500](upload://pCJYAkg7aLDNMjWHY1w4B26uCNk.png) - Click done and begin installation.
---#	---
---#	---# WARNING CONFIRM YOUR DISK FIRST BEFORE EXECUTING COMMAND
[anaconda /] ~~uuid~~="$(blkid -o value -s UUID /dev/sda2)" [anaconda /] cryptsetup luksOpen /dev/sda2 luks-$~~uuid~~ [anaconda /] mkfs.ext2 -m0 -U $~~uuid~~ /dev/mapper/luks-$~~uuid~~	[anaconda /] uuidR="$(blkid -o value -s UUID /dev/nvme0n1)" [anaconda /] uuidB="$(blkid -o value -s UUID /dev/sda2)" [anaconda /] cryptsetup luksOpen /dev/sda2 luks-$uuidB [anaconda /] mkfs.ext2 -m0 -U $uuidB /dev/mapper/luks-$uuidB
---# Change UUID=..on boot line to ~~( check your sda2 uuid ) ```~~ /dev/mapper/luks-~~5f4a8efe-a2cd-41ab-889b-d8c759fa8db7 /boot ext2 defaults 1 2~~ ~~```~~ ~~---#~~ ![~~QubesOS~~-2021-09-07-21-~~05-~~16\|~~666x500~~](upload://~~iaNErbJcQdsc6S2ZTYhdIbACAMl~~.png) ---#	---# Change UUID=..on boot line to /dev/mapper/luks-(your $uuidB) and leave the rest to default value ![Qubes OS-2021-09-09-09-21-16\|690x212](upload://kBEHeQ75xDu24YDcwSyIo3QnHus.png) ---
---#
	---# create luks keys so we dont have to enter any password after grub
	---# WARNING CONFIRM YOUR DISK FIRST BEFORE EXECUTING COMMAND
[anaconda /] echo "luks-$~~uuid~~ UUID=$~~uuid~~ /etc/keys/boot.key luks,key-slot=1" \| tee -a /mnt/sysroot/etc/crypttab	[anaconda /] echo "luks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1" \| tee -a /mnt/sysroot/etc/crypttab
[anaconda /] mount --bind /proc /mnt/sysroot/proc	[anaconda /] mount --bind /proc /mnt/sysroot/proc ---
---# Change root device value so it look like this ![~~QubesOS~~-2021-09-07-20-46-57\|~~666x500~~](upload://~~r9wvNnRns0eYv4NVNkcWP5xjEAh~~.png) ---#	---# Change root device value so it look like this ![Qubes OS-2021-09-09-05-41-16\|690x100](upload://wq7nqayfAzpGbeT5p8gfLqB1XMc.png) ---
~~use_fstab="yes"~~ ``` [anaconda /] ~~udevadm info~~ -~~q all~~ -n /dev/~~nvme0n1~~ ---~~# Change~~ (~~value~~) ~~with ID_SERIAL_SHORT~~ in ~~output command above~~. ~~[anaconda~~ /~~] vi~~ /~~lib~~/~~udev~~/~~rules~~.~~d/61~~-~~luks.rules ``` KERNEL~~=~~=”sd?”~~, ~~SUBSYSTEM~~==~~”block”~~, ~~ENV{ID_SERIAL_SHORT}~~==”<~~value~~>”, ~~ENV{ID_FS_TYPE}=”crypto_LUKS”~~ ~~```~~	``` [anaconda /] vi /usr/lib/dracut/modules.d/90crypt/module-setup.sh ---# write a persistence device at /etc/block_uuid.map in generated initramfs echo "/dev/nvme0n1 $uuidR /dev/disk/by-uuid/$uuidB $uuidB" > "{initdir}/etc/block_uuid.map" ![Qubes OS-2021-09-09-05-59-09\|690x350](upload://42i8w7W8Q5b5ajA0na19yfbX9fT.png) ---# write a persistence device at /etc/crypttab in generated initramfs (we can't inject /etc/crypttab files in dracut.conf) echo "luks-$uuidR /dev/nvme0n1 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sda3 luks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1" > $initdir/etc/crypttab ![Qubes OS-2021-09-09-05-59-16\|690x273](upload://lAXR6GsVJefZ9wADng3SozOrakj.png) ---
	[anaconda /] exit
[anaconda /] exit
[anaconda /] cryptsetup luksClose /dev/mapper/luks-$~~uuid~~	[anaconda /] cryptsetup luksClose /dev/mapper/luks-$uuidB
![QubesOS-2021-09-07-20-46-39\|666x500](upload://d43ZIXJU0aeJMln1LFNyqO56b7R.png) ``` NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT loop0 loop1 loop2 sda ├─sda1 vfat FAT32 3F62-7E87 587.5M 2% /boot/efi ├─sda2 crypto_LUKS 1 5f4a8efe-a2cd-41ab-889b-d8c759fa8db7 │ └─luks-5f4a8efe-a2cd-41ab-889b-d8c759fa8db7 ext2 1.0 5f4a8efe-a2cd-41ab-889b-d8c759fa8db7 925.4M 6% /boot └─sda3 crypto_LUKS 2 85773448-fa03-44b7-a643-b2b3ec7b9984 sr0 iso9660 Joliet Extension QUBES-R4-1-0-BETA1-X86-64 2021-07-10-17-09-38-00 nvme0n1 └─luks-85773448-fa03-44b7-a643-b2b3ec7b9984 LVM2_member LVM2 001 Tsmi04-XlVi-2nfi-FoDA-3nsM-ZHz5-awCWzQ ├─qubes_dom0-root--pool_tmeta │ └─qubes_dom0-root--pool-tpool │ ├─qubes_dom0-root ext4 1.0 e511dfeb-541f-4beb-a188-937c58e85928 14.9G 19% / │ └─qubes_dom0-root--pool ├─qubes_dom0-root--pool_tdata │ └─qubes_dom0-root--pool-tpool │ ├─qubes_dom0-root ext4 1.0 e511dfeb-541f-4beb-a188-937c58e85928 14.9G 19% / │ └─qubes_dom0-root--pool ├─qubes_dom0-swap swap 1 a629f9ea-9cd2-4a19-bf41-95b43b5d24bb [SWAP] ├─qubes_dom0-vm--pool_tmeta │ └─qubes_dom0-vm--pool-tpool │ ├─qubes_dom0-vm--pool │ ├─qubes_dom0-vm xfs 2433e2e5-64de-4830-af4d-4b0e371b3941 │ ├─qubes_dom0-vm--fedora--34--root--1631021717--back │ ├─qubes_dom0-vm--fedora--34--dvm--private │ ├─qubes_dom0-vm--fedora--34--root--1631021777--back │ ├─qubes_dom0-vm--fedora--34--root │ ├─qubes_dom0-vm--default--mgmt--dvm--private │ ├─qubes_dom0-vm--fedora--34--private │ ├─qubes_dom0-vm--sys--net--private │ ├─qubes_dom0-vm--sys--firewall--private │ ├─qubes_dom0-vm--sys--net--private--snap │ ├─qubes_dom0-vm--sys--net--volatile │ ├─qubes_dom0-vm--sys--net--root--snap │ ├─qubes_dom0-vm--sys--firewall--private--snap │ ├─qubes_dom0-vm--sys--firewall--volatile │ └─qubes_dom0-vm--sys--firewall--root--snap └─qubes_dom0-vm--pool_tdata └─qubes_dom0-vm--pool-tpool ├─qubes_dom0-vm--pool ├─qubes_dom0-vm xfs 2433e2e5-64de-4830-af4d-4b0e371b3941 ├─qubes_dom0-vm--fedora--34--root--1631021717--back ├─qubes_dom0-vm--fedora--34--dvm--private ├─qubes_dom0-vm--fedora--34--root--1631021777--back ├─qubes_dom0-vm--fedora--34--root ├─qubes_dom0-vm--default--mgmt--dvm--private ├─qubes_dom0-vm--fedora--34--private ├─qubes_dom0-vm--sys--net--private ├─qubes_dom0-vm--sys--firewall--private ├─qubes_dom0-vm--sys--net--private--snap ├─qubes_dom0-vm--sys--net--volatile ├─qubes_dom0-vm--sys--net--root--snap ├─qubes_dom0-vm--sys--firewall--private--snap ├─qubes_dom0-vm--sys--firewall--volatile └─qubes_dom0-vm--sys--firewall--root--snap ``` ``` Linux dom0 5.10.47-1.fc32.qubes.x86_64 #1 SMP Sun Jul 4 10:29:16 CEST 2021 x86_64 x86_64 x86_64 GNU/Linux ```	--- ---# Screenshoot ![Qubes OS-2021-09-09-06-22-47\|690x106](upload://6pqx2SoCRmYl4DGNrWe5zzS9np9.png) ![Qubes OS-2021-09-09-06-34-41\|666x500](upload://4yWLLKedih9TErXwvGD19fU9XBk.png)

Revision #2

Edited on: 2021-09-07
Edited by user: 51lieal
Edit reason: add exit after umount /mnt/sysroot/boot

[anaconda /] exit