Title: | user:Codegazer workspace |
Author: | Paul Blackburn |
Classification: | unrestricted |
Status: | work-in-progress |
Approved by: | Codegazer |
Last updated: | 2023_12_16 |
Reference Site: | user:Codegazer on Mageia wiki |
Contents
- 1 Introduction
- 2 Contributions
- 3 notes boundary here
- 4 Appendix-2: Notes on adding LUKS disk encryption to Mageia live persistent USB
- 5 Introduction
- 6 Benefits
- 7 notes
- 8 step 1: Create persistent Mageia live USB using isodumper command
- 9 step 2: identify the device name for the USB memory stick
- 10 step 3: Remove the newly created 3rd "mgalive-persist" partition and create a smaller 2gb to replace it
- 11 step 4: Create a 4th "mgalive-LUKS" partition and ext4 filesystem on all the remaining USB freespace
- 11.1 Create 4th partition
- 11.2 Initialize the LUKS encryption on the newly-created partition
- 11.3 Open the LUKS device
- 11.4 Create filesystem on the LUKS partition and label it
- 11.5 Label the filesystem in 4th (LUKS) partition
- 11.6 Place a persistence.conf file in the 4th filesystem
- 11.7 Create work and memory directories for handling union mount
- 11.8 Unmount the encrypted filesystem
- 11.9 Close encrypted channel to persistence partition
- 12 step 5: Boot from the "mgalive-persist" USB
- 13 step 6: Configure the "mageia-persist" USB to automatically LUKS open the 4th partition
- 14 step 7: reboot and verify "mgalive-LUKS" is union mounted
- 15 step 8: complete post-install configuration and apply pending updates
- 16 notes boundary here
- 17 Appendix-3: Encrypted 3rd partition on persistent Mageia live USB
- 17.1 Preparation
- 17.2 Define memory_stick_device
- 17.3 List what is already on the USB (after running isodumper)
- 17.4 Create 3rd partition using remaining space on USB
- 17.5 List contents to verify 3rd partition created
- 17.6 Initialise LUKS encryption on 3rd partition
- 17.7 Open LUKS encrypted 3rd partition
- 17.8 Create filesystem on the LUKS partition and label it "mgalive-persist"
- 17.9 Close the LUKS encrypted 3rd partition
- 18 Using the encrypted mgalive-persist USB
Introduction
Hello, I am Codegazer: a long time user and contributor to Mandrake/Mandriva/Mageia Linux. I volunteer with the Mageia quality assurance (QA) and documentation teams.
You can also find me on Libera IRC network channel #mageia as treegazer.
This is my draft wiki page and workspace.
It contains several "docs" as separate appendixes. Some of these are works-in-progress drafts.
Contributions
Mageia Wiki pages contributed by Codegazer (note:table is sortable: click on column header):
# | written | status | page | link | comment |
---|---|---|---|---|---|
1 | 2011_12_25 | active | Skype for Linux | Skype_with_video | Howto configure Skype in Mageia |
2 | 2012_03_07 | archived | Nomachine | Nomachine | How to configure original NoMachine in Mageia |
3 | 2013_02_10 | active | sudo | Configuring_sudo | How to configure sudo in Mageia |
4 | 2013_05_03 | active | OpenAFS client | Installing_OpenAFS_Client | how to install OpenAFS client in Mageia |
5 | 2013_05_20 | active | Finding Mageia rsync servers | Finding_Mageia_rsync_servers | Identifying and configuring URPMI rsync servers |
6 | 2013_09_24 | archived | Tip for installing VMware 9 on Mageia3 | Tip_for_installing_VMware_9_and_VMPlayer_on_Mageia3 | How to configure VMware 9 on Mageia 3 |
7 | 2014_07_12 | active | share your NAT connection | Howto_use_NAT_to_share_your_connection | NAT connection sharing |
8 | 2014_10_31 | active | Installing Mageia from ISO on disk | Installing_Mageia_from_ISO_on_disk | Install from disk image |
8a | 2024_01_04 | archived | Installing Mageia from ISO on disk | Installing Mageia from ISO in disk | Install disk image: Mga4 example |
9 | 2015_10_29 | archived | Installing VMware workstation 11 in Mageia 5 | Installing_VMware_workstation_11_in_Mageia_5 | VMware workstation on Mageia |
10 | 2017_02_28 | active | Notes on moving a mediawiki | Notes_on_moving_a_mediawiki | how to move media wiki |
11 | 2017_09_17 | user:codegazer | VASCO DIGIPASS SecureClick authentication | Configure SecureClick authentication device in Mageia | FIDO U2F configuration |
12 | 2018_09_06 | archived | Installing VMware workstation 12.5.9 in Mageia 6 | Installing_VMware_workstation_12.5.9_in_Mageia_6 | VMware workstation 12.5.9 on Mageia 6 |
13 | 2018_11_04 | active | Using Zoom | Using_Zoom_communication_application | Installing Zoom on Mageia |
14 | 2019_07_14 | archived | Installing VMware workstation 12.5.9 in Mageia 7 | Installing_VMware_workstation_12.5.9_in_Mageia_7 | VMware workstation 12.5.9 on Mageia 7 |
15 | 2019_07_15 | active | Installing Mageia from ISO images on disk using grub2 | Installing_Mageia_from_ISO_images_on_disk_using_grub2 | fastest install method |
16 | 2020_02_26 | user:codegazer | Installing Google Chrome in Mageia | Installing Google Chrome in Mageia | google-chrome-stable |
17 | 2020_03_04 | active | Installing Google Chrome in Mageia | Installing_Google_Chrome_in_Mageia | google-chrome-stable |
18 | 2020_03_04 | user:codegazer | Configuring autostart with MATE in Mageia | Configuring autostart with MATE in Mageia | scripted MATE desktop layout on login |
19 | 2020_04_07 | user:codegazer | First step with Compiz fusion | First step with Compiz fusion | Configuring Compiz fusion 3D desktop on Mageia |
20 | 2020_04_08 | active | Configuring autostart with MATE in Mageia | Configuring_autostart_with_MATE_in_Mageia | scripted MATE desktop layout on login |
21 | 2021_05_10 | active | Making a bootable Mageia network install USB drive | Making_a_bootable_Mageia_network_install_USB_drive | Mageia network install bootable USB drive is a very useful tool to help Installing Mageia Linux |
22 | 2022_01_09 | user:codegazer | Rescue: disable GUI at boot | Rescue: disable GUI at boot | Rescue technique: howto disable GUI at boot time |
22a | 2022_01_09 | active | Rescue: disable GUI at boot | Rescue: disable GUI at boot | Rescue technique: howto disable GUI at boot time |
23 | 2022_01_22 | user:codegazer | Encrypted live persistent USB with Mageia 7 | Encrypted live persistent USB with Mageia 7 | configure a live persistent USB in Mageia 7 |
24 | 2022_02_13 | active | Synchronize local skype urpmi | Synchronize_local_skype_urpmi | Automated install/update of skypeforlinux for Mageia |
25 | 2022_04_04 | user:codegazer | Configuring OpenVPN with ProtonVPN in Mageia | Configuring OpenVPN with ProtonVPN in Mageia | Configure OpenVPN to use ProtonVPN |
26 | 2022_04_11 | active | Configuring OpenVPN with ProtonVPN in Mageia | Configuring_OpenVPN_with_ProtonVPN_in_Mageia | ProtonVPN do not provide an "app" for Mageia but OpenVPN can be configured to use it |
27 | 2023_10_22 | user:codegazer | Installing Signal Messenger on Mageia | Installing Signal Messenger on Mageia | unsupported by Signal but working Messenger on Mageia |
key to status column: active = live public wiki page, user:codegazer = draft/work-in-progress, archived = no longer current
notes boundary here
Separate notes about LUKS on persistent Mageia live USB follows from here |
Appendix-2: Notes on adding LUKS disk encryption to Mageia live persistent USB
Introduction
These notes describe how to add a 4th LUKS encrypted partition to a Mageia live USB with data persistence created by the isodumper command.
Benefits
It is useful to be able to encrypt a persistent live USB to protect data in the event of the memory stick being lost or stolen.
notes
Manually adding a union mount to 4th LUKS encrypted partition:
mount -t overlay -o lowerdir=/,upperdir=/mnt/mgalive-LUKS/memory,workdir=/mnt/mgalive-LUKS/work/ overlay /
step 1: Create persistent Mageia live USB using isodumper command
Check if isodumper is installed and if not then install it:
rpm -q isodumper > /dev/null && echo isodumper is installed || /usr/sbin/urpmi isodumper
step 2: identify the device name for the USB memory stick
memory_stick_device=/dev/sdb
step 3: Remove the newly created 3rd "mgalive-persist" partition and create a smaller 2gb to replace it
/bin/sudo fdisk ${memory_stick_device} #remove existing 3rd partition created by isodumper d 3 w /bin/sudo fdisk ${memory_stick_device} # create new smaller (2GB) 3rd partition n p 3 # blank= default start of free space +2G w
Example: Display disk partitions:
$ /bin/sudo fdisk -l ${memory_stick_device} [sudo] password for user: Disk /dev/sdb: 115.6 GiB, 124151398400 bytes, 242483200 sectors Disk model: USB Flash Drive Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/sdb1 * 0 4789035 4789036 2.3G 0 Empty /dev/sdb2 4789036 4797227 8192 4M ef EFI (FAT-12/16/32) /dev/sdb3 4798464 8992767 4194304 2G 83 Linux
Create filesystem in 3rd Partition
/bin/sudo mkfs.ext4 -L mgalive-persist ${memory_stick_device}3
Example:
$ /bin/sudo mkfs.ext4 -L mgalive-persist ${memory_stick_device}3 mke2fs 1.45.0 (6-Mar-2019) Creating filesystem with 524288 4k blocks and 131072 inodes Filesystem UUID: c58935a2-5a22-4f53-85b0-3f78aa65c79b Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912 Allocating group tables: done Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done
step 4: Create a 4th "mgalive-LUKS" partition and ext4 filesystem on all the remaining USB freespace
Create 4th partition
/bin/sudo fdisk ${memory_stick_device} # create new 4th partition using up all remaining space n p 4 # blank - (default) start of free space # blank - (default) end of free space w
Display updated disk partitions
$ /bin/sudo fdisk -l ${memory_stick_device} # verify 4th partition created Disk /dev/sdb: 115.6 GiB, 124151398400 bytes, 242483200 sectors Disk model: USB Flash Drive Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/sdb1 * 0 4789035 4789036 2.3G 0 Empty /dev/sdb2 4789036 4797227 8192 4M ef EFI (FAT-12/16/32) /dev/sdb3 4798464 8992767 4194304 2G 83 Linux /dev/sdb4 8992768 242483199 233490432 111.3G 83 Linux
Initialize the LUKS encryption on the newly-created partition
/bin/sudo cryptsetup --verbose --verify-passphrase luksFormat ${memory_stick_device}4
Example:
$ /bin/sudo cryptsetup --verbose --verify-passphrase luksFormat ${memory_stick_device}4 WARNING! ======== This will overwrite data on /dev/sdb4 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdb4: Verify passphrase: Key slot 0 created. Command successful.
Open the LUKS device
/bin/sudo cryptsetup luksOpen ${memory_stick_device}4 my_usb
Example:
$ /bin/sudo cryptsetup luksOpen ${memory_stick_device}4 my_usb Enter passphrase for /dev/sdb4:
Create filesystem on the LUKS partition and label it
This will take some time to run.
/bin/sudo mkfs.ext4 -L mgalive-LUKS /dev/mapper/my_usb
Example:
$ /bin/sudo cryptsetup luksOpen ${memory_stick_device}4 my_usb Enter passphrase for /dev/sdb4: [user@localhost] $ /bin/sudo mkfs.ext4 -L mgalive-LUKS /dev/mapper/my_usb mke2fs 1.45.0 (6-Mar-2019) Creating filesystem with 29182208 4k blocks and 7299072 inodes Filesystem UUID: b00aefcb-373a-48da-84ee-baf93b18420d Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872 Allocating group tables: done Writing inode tables: done Creating journal (131072 blocks): done Writing superblocks and filesystem accounting information: done
Label the filesystem in 4th (LUKS) partition
/bin/sudo e2label /dev/mapper/my_usb mgalive-LUKS
Example:
$ /bin/sudo e2label /dev/mapper/my_usb mgalive-LUKS
Place a persistence.conf file in the 4th filesystem
/bin/sudo mkdir -p /mnt/my_usb /bin/sudo mount /dev/mapper/my_usb /mnt/my_usb $ df /mnt/my_usb Filesystem Size Used Avail Use% Mounted on /dev/mapper/my_usb 110G 61M 104G 1% /mnt/my_usb $ ls -l /mnt/my_usb/ total 16 drwx------ 2 root root 16384 Jun 7 21:27 lost+found/
Create work and memory directories for handling union mount
/bin/sudo mkdir /mnt/my_usb/work /bin/sudo mkdir /mnt/my_usb/memory
Unmount the encrypted filesystem
/bin/sudo umount /dev/mapper/my_usb # confirm un-mounted df /mnt/my_usb/ Filesystem Size Used Avail Use% Mounted on overlay 13G 5.6G 5.9G 49% /
Close encrypted channel to persistence partition
/bin/sudo cryptsetup luksClose /dev/mapper/my_usb
step 5: Boot from the "mgalive-persist" USB
This boot will be using the 3rd partition which provides data persistence but is not encrypted.
Verify the LUKS encrypted 4th partition can be opened and mounted
open the LUKS encrypted fs
/bin/sudo cryptsetup luksOpen ${memory_stick_device}4 my_usb
create mountpoint for mgalive-LUKS filesystem
/bin/sudo mkdir /mnt/mgalive-LUKS
mount the mgalive-LUKS filesystem
/bin/sudo mount -t ext4 /dev/sdb4 /mnt/mgalive-LUKS
step 6: Configure the "mageia-persist" USB to automatically LUKS open the 4th partition
We need to have the 4th LUKS partition automatically mounted at boot time and union mount "mgalive-LUKS" with root (/) on the 3rd "mgalive-persist" partition.
Confirm mgalive-LUKS (4th partition) mounted at boot time
Add the following line to /etc/fstab:
/dev/mapper/mgalive-LUKS /mnt/mgalive-LUKS ext4 defaults 0 0
Add the following line to /etc/crypttab:
mgalive-LUKS /dev/sdb4 none
Create a mount point for mgalive-LUKS under /mnt/:
d=/mnt/mgalive-LUKS/; [ -d ${d} ] && echo directory ${d} already exists || (mkdir ${d} && echo created directory: ${d})
Reboot and verify that the boot sequence is stopped to prompt for the LUKS passphrase.
Update /etc/fstab to add union mount for mga-live-LUKS partition
Add the following line to /etc/fstab
none / overlay noauto,x-systemd.automount,lowerdir=/,upperdir=/mnt/mgalive-LUKS,workdir=/mnt/mgalive-LUKS/work 0 0
Note that noauto and x-systemd.automount prevent systemd from hanging on boot because it failed to mount the overlay. The overlay is now mounted whenever it is first accessed and requests are buffered until it is ready.
Reboot and confirm the union mount is working (hint: use the df command and observe the free space for /.
step 7: reboot and verify "mgalive-LUKS" is union mounted
Got this far and now stuck trying to get mgalive-LUKS union mounted with / and /mnt/mgalive-persist.
[root@localhost ~]# nl -ba /etc/fstab 1 none / overlay defaults 0 0 2 /dev/mapper/mgalive-LUKS /mnt/mgalive-LUKS ext4 defaults 0 0 3 /dev/sdb3 /mnt/mgalive-persist ext4 defaults 0 0 4 #none / overlay noauto,x-systemd.automount,lowerdir=/mnt/mgalive-persist:/,upperdir=/mnt/mgalive-LUKS/memory,workdir=/mnt/mgalive-LUKS/work 0 0 # 4 (^) commented out because when present a message about "duplicate error" in /etc/fstab is displayed # which can only be in relation to having two "overlay" entries in /etc/fstab [root@localhost ~]# nl -ba /etc/crypttab 1 mgalive-LUKS /dev/sdb4 none [root@localhost ~]# df | nl -ba 1 Filesystem Size Used Avail Use% Mounted on 2 tmpfs 2.9G 1.4M 2.9G 1% /run 3 /dev/loop0 2.3G 2.3G 0 100% /run/mgalive/ovlsize 4 overlay 2.0G 1.4G 493M 74% / 5 devtmpfs 2.9G 0 2.9G 0% /dev 6 tmpfs 2.9G 59M 2.9G 2% /dev/shm 7 tmpfs 2.9G 0 2.9G 0% /sys/fs/cgroup 8 tmpfs 2.9G 12K 2.9G 1% /tmp 9 /dev/sdb3 2.0G 1.4G 493M 74% /mnt/mgalive-persist 10 /dev/mapper/mgalive-LUKS 110G 66M 104G 1% /mnt/mgalive-LUKS 11 tmpfs 594M 20K 594M 1% /run/user/1001 [root@localhost ~]# uname -r 5.1.7-desktop-2.mga7 # mount | nl -ba 1 tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,mode=755) 2 /dev/loop0 on /run/mgalive/ovlsize type squashfs (ro,relatime) 3 overlay on / type overlay (rw,noatime,lowerdir=/live/distrib,upperdir=/live/overlay/memory,workdir=/live/overlay/work) 4 devtmpfs on /dev type devtmpfs (rw,nosuid,noexec,size=3022532k,nr_inodes=755633,mode=755) 5 sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) 6 proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) 7 securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) 8 tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) 9 devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) 10 tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755) 11 cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate) 12 cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd) 13 pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) 14 bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700) 15 cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) 16 cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) 17 cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) 18 cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) 19 cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) 20 cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls) 21 cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) 22 systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=39,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=1595) 23 hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M) 24 tmpfs on /tmp type tmpfs (rw,nosuid,nodev) 25 mqueue on /dev/mqueue type mqueue (rw,relatime) 26 debugfs on /sys/kernel/debug type debugfs (rw,relatime,mode=755) 27 /dev/sdb3 on /mnt/mgalive-persist type ext4 (rw,relatime) 28 /dev/mapper/mgalive-LUKS on /mnt/mgalive-LUKS type ext4 (rw,relatime) 29 fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime) 30 tmpfs on /run/user/1001 type tmpfs (rw,nosuid,nodev,relatime,size=608120k,mode=700,uid=1001,gid=1001) 31 gvfsd-fuse on /run/user/1001/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1001,group_id=1001)
For comparison, the following is what I see on a kali encrypted persistent USB system:
root@kali:~# nl -ba /etc/fstab 1 overlay / overlay rw 0 0 2 tmpfs /tmp tmpfs nosuid,nodev 0 0 root@kali:~# nl /etc/crypttab 1 # <target name> <source device> <key file> <options> root@kali:~# df | nl -ba 1 Filesystem 1K-blocks Used Available Use% Mounted on 2 udev 3013864 0 3013864 0% /dev 3 tmpfs 608372 9388 598984 2% /run 4 /dev/sdb1 3234496 3234496 0 100% /run/live/medium 5 /dev/loop0 2959488 2959488 0 100% /run/live/rootfs/filesystem.squashfs 6 tmpfs 3041860 0 3041860 0% /run/live/overlay 7 /dev/mapper/sdb3 50588880 6931380 41074412 15% /run/live/persistence/sdb3 8 overlay 50588880 6931380 41074412 15% / 9 tmpfs 3041856 71408 2970448 3% /dev/shm 10 tmpfs 5120 8 5112 1% /run/lock 11 tmpfs 3041856 0 3041856 0% /sys/fs/cgroup 12 tmpfs 3041856 12 3041844 1% /tmp 13 tmpfs 608368 16 608352 1% /run/user/131 14 tmpfs 608368 32 608336 1% /run/user/1000 15 /dev/sdb2 716 682 34 96% /media/mpb/Kali Live root@kali:~# mount | nl -ba 1 sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime) 2 proc on /proc type proc (rw,nosuid,nodev,noexec,relatime) 3 udev on /dev type devtmpfs (rw,nosuid,relatime,size=3013864k,nr_inodes=753466,mode=755) 4 devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000) 5 tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=608372k,mode=755) 6 /dev/sdb1 on /run/live/medium type iso9660 (ro,noatime,nojoliet,check=s,map=n,blocksize=2048) 7 /dev/loop0 on /run/live/rootfs/filesystem.squashfs type squashfs (ro,noatime) 8 tmpfs on /run/live/overlay type tmpfs (rw,noatime,size=3041860k,mode=755) 9 /dev/mapper/sdb3 on /run/live/persistence/sdb3 type ext3 (rw,noatime) 10 overlay on / type overlay (rw,noatime,lowerdir=/run/live/rootfs/filesystem.squashfs/,upperdir=/run/live/persistence/sdb3/rw,workdir=/run/live/persistence/sdb3/work) 11 tmpfs on /usr/lib/live/mount type tmpfs (rw,nosuid,noexec,relatime,size=608372k,mode=755) 12 /dev/sdb1 on /usr/lib/live/mount/medium type iso9660 (ro,noatime,nojoliet,check=s,map=n,blocksize=2048) 13 /dev/loop0 on /usr/lib/live/mount/rootfs/filesystem.squashfs type squashfs (ro,noatime) 14 tmpfs on /usr/lib/live/mount/overlay type tmpfs (rw,noatime,size=3041860k,mode=755) 15 /dev/mapper/sdb3 on /usr/lib/live/mount/persistence/sdb3 type ext3 (rw,noatime) 16 securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime) 17 tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev) 18 tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k) 19 tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755) 20 cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate) 21 cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd) 22 pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime) 23 bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700) 24 cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices) 25 cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory) 26 cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct) 27 cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio) 28 cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio) 29 cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset) 30 cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer) 31 cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids) 32 cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma) 33 cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event) 34 systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=21377) 35 hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M) 36 mqueue on /dev/mqueue type mqueue (rw,relatime) 37 debugfs on /sys/kernel/debug type debugfs (rw,relatime) 38 tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime) 39 binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime) 40 tmpfs on /run/user/131 type tmpfs (rw,nosuid,nodev,relatime,size=608368k,mode=700,uid=131,gid=142) 41 tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=608368k,mode=700,uid=1000,gid=1000) 42 /dev/sdb2 on /media/mpb/Kali Live type vfat (rw,nosuid,nodev,relatime,uid=1000,gid=1000,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,showexec,utf8,flush,errors=remount-ro,uhelper=udisks2) root@kali:~# uname -r 4.19.0-kali4-amd64
step 8: complete post-install configuration and apply pending updates
to be completed - things to do once installed, and union mounts working
notes boundary here
Separate notes about LUKS on persistent Mageia live USB follows from here |
Appendix-3: Encrypted 3rd partition on persistent Mageia live USB
Preparation
Use a high speed USB memory stick with sufficient space. The example here shows using a 128gb USB 3.1 USB memory stick.
Use procedure described here to create ISO image. Use isodumper to write ISO image to USB.
Define memory_stick_device
memory_stick_device=/dev/sdb
Example:
To determine the correct device for the memory stick:
- In a terminal, type:
journalctl -fa #Display system log (dynamically updated)
- Plug in the USB
- Observe the system log (from step 1, above) to see the device name for the memory stick. Example:
Dec 12 16:19:17 localhost kernel: sd 7:0:0:0: [sdc] 4016128 512-byte logical blocks: (2.06 GB/1.92 GiB)
Here, the device name is sdc, so we would use: memory_stick_device=/dev/sdc
List what is already on the USB (after running isodumper)
/bin/sudo fdisk -l ${memory_stick_device}
Example:
[user@localhost ~]$ /bin/sudo fdisk -l ${memory_stick_device} Disk /dev/sdb: 114.6 GiB, 123010547712 bytes, 240254976 sectors Disk model: Ultra Fit Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/sdb1 * 0 3030463 3030464 1.5G 0 Empty /dev/sdb2 3030464 3038655 8192 4M ef EFI (FAT-12/16/32)
Create 3rd partition using remaining space on USB
/bin/sudo fdisk ${memory_stick_device} # create 3rd partition n p 3 # blank = default start of free space # blank = default end of free space w
Example:
[user@localhost ~]$ /bin/sudo fdisk ${memory_stick_device} Welcome to fdisk (util-linux 2.33.2). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Command (m for help): n Partition type p primary (2 primary, 0 extended, 2 free) e extended (container for logical partitions) Select (default p): p Partition number (3,4, default 3): 3 First sector (3038656-240254975, default 3039232): Last sector, +/-sectors or +/-size{K,M,G,T,P} (3039232-240254975, default 240254975): Created a new partition 3 of type 'Linux' and of size 113.1 GiB. Command (m for help): w The partition table has been altered. Syncing disks.
List contents to verify 3rd partition created
/bin/sudo fdisk -l ${memory_stick_device}
Example:
[user@localhost$ /bin/sudo fdisk -l ${memory_stick_device} Disk /dev/sdb: 114.6 GiB, 123010547712 bytes, 240254976 sectors Disk model: Ultra Fit Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00000000 Device Boot Start End Sectors Size Id Type /dev/sdb1 * 0 3030463 3030464 1.5G 0 Empty /dev/sdb2 3030464 3038655 8192 4M ef EFI (FAT-12/16/32) /dev/sdb3 3039232 240254975 237215744 113.1G 83 Linux
Note: 3rd partition named /dev/sdb3 created. Size in this example is 113.1 gb which is all available space on USB.
Initialise LUKS encryption on 3rd partition
Now we configure LUKS encryption. Please note the use of suffix 3 in these commands.
NB Choose a memorable encryption pass phrase and keep a record of it somewhere secure.
If you lose or forget the pass phrase you cannot recover any data on the encrypted partition.
/bin/sudo cryptsetup --verbose --verify-passphrase luksFormat ${memory_stick_device}3
Example:
[user@localhost ~]$ /bin/sudo cryptsetup --verbose --verify-passphrase luksFormat ${memory_stick_device}3 [sudo] password for user: WARNING! ======== This will overwrite data on /dev/sdb3 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase for /dev/sdb3: Verify passphrase: Key slot 0 created. Command successful.
Open LUKS encrypted 3rd partition
/bin/sudo cryptsetup luksOpen ${memory_stick_device}3 crypt_sdb3
Example:
[user@localhost ~]$ /bin/sudo cryptsetup luksOpen ${memory_stick_device}3 crypt_sdb3 Enter passphrase for /dev/sdb3:
Create filesystem on the LUKS partition and label it "mgalive-persist"
Note: it is important to label the partition mgalive-persist (using the -L option).
/bin/sudo mkfs.ext4 -L mgalive-persist /dev/mapper/crypt_sdb3
Example:
[user@localhost ~]$ /bin/sudo mkfs.ext4 -L mgalive-persist /dev/mapper/crypt_sdb3 mke2fs 1.45.4 (23-Sep-2019) Creating filesystem with 29647872 4k blocks and 7413760 inodes Filesystem UUID: 8b42f657-a104-4613-9c20-acfd8361aed2 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872 Allocating group tables: done Writing inode tables: done Creating journal (131072 blocks): done Writing superblocks and filesystem accounting information: done
Close the LUKS encrypted 3rd partition
/bin/sudo cryptsetup luksClose /dev/mapper/crypt_sdb3
Example:
[root@localhost ~]# cryptsetup luksClose /dev/mapper/crypt_sdb3
Using the encrypted mgalive-persist USB
Steps:
- Plug the USB memory stick in highest speed USB port on computer
- Power up (or reboot) computer and tap ESC escape key during start to enable choice of boot device
- On HP systems: F9 key will select boot options menu
- Identify and select USB device to boot with
- When prompted, enter the encryption pass phrase you used to encrypt
- After startup and login, note the output from df to confirm encrypted 3rd partition is union mounted. You will see "overlay" and the size.
Example: showing the overlay in output from df command:
[live@localhost ~]$ df Filesystem Size Used Avail Use% Mounted on devtmpfs 2.9G 0 2.9G 0% /dev tmpfs 2.9G 0 2.9G 0% /dev/shm tmpfs 2.9G 1.3M 2.9G 1% /run /dev/loop0 1.5G 1.5G 0 100% /run/mgalive/ovlsize overlay 111G 97M 106G 1% / tmpfs 2.9G 0 2.9G 0% /sys/fs/cgroup tmpfs 2.9G 4.0K 2.9G 1% /tmp tmpfs 593M 44K 593M 1% /run/user/1000
Note: The read-only 2nd partition which is the ISO image created at the start is showing here as:
/dev/loop0 1.5G 1.5G 0 100% /run/mgalive/ovlsize
the encrypted persistent 3rd partition showing here as:
overlay 111G 97M 106G 1% /
This is a union mount of the 2nd and 3rd partitions. Any changes or updates are saved in the encrypted 3rd partition "overlay".
First use notes
Depending on the ISO that was created, there is probably a no-password login for user live. You probably need to create a new login and password for your own use then remove (or password protect) the live account.
You should also set a root password.
After checking you have network connectivity define urpmi sources and apply pending system updates.
Example: Create login and set password
In this example, change mylogin (below) to your preferred login account name. Note the user of "-G wheel". This is to enable the account to use sudo. Refer to Configuring_sudo for details on configuring sudo.
[live@localhost ~]$ /bin/su -c "/sbin/useradd -m mylogin -G wheel -s /bin/bash" [live@localhost ~]$ /bin/su -c "/usr/bin/passwd mylogin" Changing password for user mylogin. New password: Retype new password: passwd: all authentication tokens updated successfully.
Example: Check network configuration
[live@localhost ~]$ /usr/sbin/ifconfig enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.35 netmask 255.255.255.0 broadcast 192.168.101.255 inet6 fe80::7aac:c0ff:feb3:66a8 prefixlen 64 scopeid 0x20<link> ether 78:ac:c0:b3:66:a8 txqueuelen 1000 (Ethernet) RX packets 11658 bytes 14172640 (13.5 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8411 bytes 865070 (844.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 17 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Note: This shows ethernet interface enp1s0 has IP address 192.168.1.35
Example: verify network connectivity
[live@localhost ~]$ ping -c2 8.8.4.4 PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data. 64 bytes from 8.8.4.4: icmp_seq=1 ttl=53 time=10.4 ms 64 bytes from 8.8.4.4: icmp_seq=2 ttl=53 time=10.8 ms --- 8.8.4.4 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 3ms rtt min/avg/max/mdev = 10.361/10.593/10.826/0.254 ms
Note: Showing that 2 ICMP echo requests (ping) get responses from 8.8.4.4 (one of Google's public DNS servers).
Example: configure Mageia URPMI media sources to network only
/bin/su -c "/usr/sbin/urpmi.removemedia -a && /usr/sbin/urpmi.addmedia --distrib --mirrorlist"
[live@localhost ~]$ /bin/su -c "/usr/sbin/urpmi.removemedia -a && /usr/sbin/urpmi.addmedia --distrib --mirrorlist" removing medium "Live Core" removing medium "Live Nonfree" adding medium "Core Release" adding medium "Core Release Debug" (ignored by default) adding medium "Core Updates" adding medium "Core Updates Debug" (ignored by default) adding medium "Core Updates Testing" (ignored by default) adding medium "Core Updates Testing Debug" (ignored by default) adding medium "Core Backports" (ignored by default) adding medium "Core Backports Debug" (ignored by default) adding medium "Core Backports Testing" (ignored by default) adding medium "Core Backports Testing Debug" (ignored by default) adding medium "Nonfree Release" adding medium "Nonfree Release Debug" (ignored by default) adding medium "Nonfree Updates" adding medium "Nonfree Updates Debug" (ignored by default) adding medium "Nonfree Updates Testing" (ignored by default) adding medium "Nonfree Updates Testing Debug" (ignored by default) adding medium "Nonfree Backports" (ignored by default) adding medium "Nonfree Backports Debug" (ignored by default) adding medium "Nonfree Backports Testing" (ignored by default) adding medium "Nonfree Backports Testing Debug" (ignored by default) adding medium "Tainted Release" (ignored by default) adding medium "Tainted Release Debug" (ignored by default) adding medium "Tainted Updates" (ignored by default) adding medium "Tainted Updates Debug" (ignored by default) adding medium "Tainted Updates Testing" (ignored by default) adding medium "Tainted Updates Testing Debug" (ignored by default) adding medium "Tainted Backports" (ignored by default) adding medium "Tainted Backports Debug" (ignored by default) adding medium "Tainted Backports Testing" (ignored by default) adding medium "Tainted Backports Testing Debug" (ignored by default) adding medium "Core 32bit Release" (ignored by default) adding medium "Core 32bit Updates" (ignored by default) adding medium "Core 32bit Updates Testing" (ignored by default) adding medium "Core 32bit Backports" (ignored by default) adding medium "Core 32bit Backports Testing" (ignored by default) adding medium "Nonfree 32bit Release" (ignored by default) adding medium "Nonfree 32bit Updates" (ignored by default) adding medium "Nonfree 32bit Updates Testing" (ignored by default) adding medium "Nonfree 32bit Backports" (ignored by default) adding medium "Nonfree 32bit Backports Testing" (ignored by default) adding medium "Tainted 32bit Release" (ignored by default) adding medium "Tainted 32bit Updates" (ignored by default) adding medium "Tainted 32bit Updates Testing" (ignored by default) adding medium "Tainted 32bit Backports" (ignored by default) adding medium "Tainted 32bit Backports Testing" (ignored by default) $MIRRORLIST: media/core/release/media_info/20190627-235351-synthesis.hdlist.cz $MIRRORLIST: media/core/updates/media_info/20191208-180358-synthesis.hdlist.cz $MIRRORLIST: media/nonfree/release/media_info/20190628-001219-synthesis.hdlist.cz $MIRRORLIST: media/nonfree/updates/media_info/20191119-211043-synthesis.hdlist.cz
Example: Verify Mageia urpmi sources configuration
Here we install a single package. In this case: tcptraceroute
/bin/su -c "/usr/sbin/urpmi tcptraceroute"
[live@localhost ~]$ /bin/su -c "/usr/sbin/urpmi tcptraceroute" To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") lib64net1 1.1.6 8.mga7 x86_64 tcptraceroute 1.5 1.beta7.11.m> x86_64 233KB of additional disk space will be used. 97KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y $MIRRORLIST: media/core/release/lib64net1-1.1.6-8.mga7.x86_64.rpm $MIRRORLIST: media/core/release/tcptraceroute-1.5-1.beta7.11.mga7.x86_64.rpm installing tcptraceroute-1.5-1.beta7.11.mga7.x86_64.rpm lib64net1-1.1.6-8.mga7.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ################################################################################### 1/2: lib64net1 ################################################################################### 2/2: tcptraceroute ###################################################################################
Example: apply pending updates
/usr/sbin/urpmi --auto-update
[live@localhost ~]$ /bin/su -c "/usr/sbin/urpmi --auto-update" medium "Core Release" is up-to-date medium "Core Updates" is up-to-date medium "Nonfree Release" is up-to-date medium "Nonfree Updates" is up-to-date Packages are up to date