Setup Raspbian Wheezy Images with dm-crypt/LUKS and LVM2 for Gateway and Workspace

Create bootsd

In order to configure LUKS and LVM2 on an existing Raspbian wheezy system, you must mount the system read-only. So first, you need a Raspbian wheezy system in which to mount it. Working in Debian wheezy, download the archived Raspbian wheezy image. Extract the image, and write it to an 8GB class 10 microSDHC card. When you insert the card, it will probably be mounted. Assuming that your system is on /dev/sda, first unmount /dev/sdb1.

$ sudo umount /dev/sdb1

Then write the image to the microSDHC card.

$ sudo dd bs=4M if=/home/user/Pi_Stuff/2015-02-16-raspbian-wheezy.img of=/dev/sdb

Now put the card in your Pi 2, and powerup by attaching the micro-USB power cable. At first boot, you get the raspi-config screen. Select "Expand Filesystem" to expand the image to fill your SD card. Then select "Change User Password" (default being "raspberry"). Select "Internationalisation Options" to configure language, timezone and keyboard layout. Using "Advanced Options", change the hostname (perhaps to "bootsd") and enable SSH server. Also "Enable Boot to Desktop", because that will facilitate setup. You can later switch back to text console, if you like. Finally, tab to "Finish", let the Pi reboot, and login as user pi.

If you haven't updated the Pi's firmware recently, do so, and then let the Pi reboot.

$ sudo rpi-update

First configure eth0. You'll be backing up and restoring files via SSH, so it's best to have a static IP address. This assumes that your LAN is on <192.168.1.0/24>.

$ sudo nano /etc/network/interfaces
........................
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
   address 192.168.1.2
   netmask 255.255.255.0
   gateway 192.168.1.1
........................

$ sudo ifdown eth0
$ sudo ifup eth0
$ sudo ifconfig
=> 192.168.1.2

Add some DNS servers (here OpenDNS).

$ sudo nano /etc/resolv.conf
.........................
domain localdomain
search localdomain
nameserver 208.67.220.220
nameserver 208.67.222.222
.........................

Update the package lists, do dist-upgrade, and install required packages.

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install cryptsetup
$ sudo apt-get install lvm2
$ sudo apt-get install dcfldd
$ sudo reboot
$ sudo shutdown -hP now

Create gatewaysd Image

Flash another 8GB class 10 microSDHC card as above. Complete the raspi-config utility as above, except change the hostname here to gatewaysd. Then let the Pi reboot, and login as user pi. Configure eth0 and DNS servers as above. Then as above, update the package lists, do dist-upgrade, install required packages, and reboot.

Now set a root password, create initramfs, enable in /boot/config.txt, and shutdown. You will need to login to (initramfs) as root to setup LUKS and LVM2.

$ sudo passwd
$ sudo mkinitramfs -o /boot/initramfs.gz
$ sudo nano /boot/config.txt
...................................
...
initramfs initramfs.gz followkernel
...................................
$ sudo shutdown -hP now

Create workspacesd Image

Flash a 32GB class 10 microSDHC card as above. Complete the raspi-config utility as above, except change the hostname here to workspacesd. Then let the Pi reboot, and login as user pi. Configure eth0 and DNS servers as above. Then as above, update the package lists, do dist-upgrade, install required packages, and reboot.

Now set a root password, create initramfs, enable in /boot/config.txt, and shutdown. You will need to login to (initramfs) as root to setup LUKS and LVM2.

$ sudo passwd
$ sudo mkinitramfs -o /boot/initramfs.gz
$ sudo nano /boot/config.txt
...................................
...
initramfs initramfs.gz followkernel
...................................
$ sudo shutdown -hP now

Setup dm-crypt/LUKS and LVM2 on 8GB gatewaysd

You will be backing up ~4GB from gatewaysd to another device on <192.168.1.0/24>, so make sure that there's enough space on the backup target. After finishing gatewaysd, you can delete the backup before repeating the process for workspacesd. I assume here that it's at <192.168.1.101>.

Boot bootsd with gatewaysd in a USB adapter, login as pi, and backup to a target computer on LAN. The bootsd /boot and / filesystems are at /dev/mmcblk0p1 and /dev/mmcblk0p2, respectively, so gatewaysd is at /dev/sda.

$ sudo mount /dev/sda2 /mnt/usb
$ sudo rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt/usb/ user@192.168.1.101:/home/user/backup/root/
$ sudo umount /mnt/usb

Now tweak the backup on the target:

$ mv /home/user/backup/root/home /home/user/backup/home
$ mkdir /home/user/backup/root/home

Back on the Pi, wipe the initial root partition. Then encrypt, and configure LVM2.

$ sudo dcfldd if=/dev/urandom of=/dev/sda2
$ sudo cryptsetup luksFormat --verify-passphrase /dev/sda2
$ sudo cryptsetup luksOpen /dev/sda2 crypt
$ sudo service lvm2 start
$ sudo pvcreate /dev/mapper/crypt
$ sudo vgcreate cvg /dev/mapper/crypt
$ sudo lvcreate -L 500M cvg -n swap
$ sudo lvcreate -L 4G cvg -n root
$ sudo lvcreate -l +100%FREE cvg -n home

Now setup logical volumes, create mount points, and mount them.

$ sudo mkswap -L swap /dev/mapper/cvg-swap
$ sudo mkfs.ext4 /dev/mapper/cvg-root
$ sudo mkfs.ext4 /dev/mapper/cvg-home
$ sudo mkdir /mnt/boot
$ sudo mkdir /mnt/root
$ sudo mkdir /mnt/home
$ sudo mount /dev/sda1 /mnt/boot
$ sudo mount /dev/mapper/cvg-root /mnt/root
$ sudo mount /dev/mapper/cvg-home /mnt/home

Then restore from the backup.

$ sudo rsync -aAXv user@192.168.1.101:/home/user/Pi_Stuff/pione_backup_home/ /mnt/home/
$ sudo rsync -aAXv user@192.168.1.101:/home/user/Pi_Stuff/pione_backup/ /mnt/root/
$ sudo chown -R root:root /mnt/root

Now tweak cmdline.txt.

$ sudo nano /mnt/boot/cmdline.txt
..............................................................................................................................................................
dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 root=/dev/mapper/cvg-root cryptdevice=/dev/mmcblk0p2:crypt rootfstype=ext4 elevator=deadline rootwait
..............................................................................................................................................................

Also tweak (crudely, for now) fstab.

$ sudo nano /mnt/root/etc/fstab
.......................................................................
proc                               proc     defaults          0       0
/dev/mmcblk0p1     /boot           vfat     defaults          0       2
/dev/mapper/crypt  /               ext4     defaults,noatime  0       1
.......................................................................

And tweak crypttab (which is tab-delimited).

$ sudo nano /mnt/root/etc/crypttab
....................................
crypt   /dev/mmcblk0p2  none    luks
....................................

Then unmount stuff and shutdown.

$ sudo umount /mnt/boot
$ sudo umount /mnt/root
$ sudo umount /mnt/home
$ sudo service lvm2 stop
$ sudo shutdown -hP now

Now boot gatewaysd and fix stuff. The first boot will fail, and you will drop into (initramfs).

(initramfs) cryptsetup luksOpen /dev/mmcblk0p2 crypt
(initramfs) lvm
lvm> lvscan
inactive           '/dev/cvg/swap' [500.00 MiB] inherit
inactive           '/dev/cvg/root' [4.00 GiB] inherit
inactive           '/dev/cvg/home' [2.85 GiB] inherit
lvm> lvs
LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
home cvg  -wi-----   2.85g
root cvg  -wi-----   4.00g
swap cvg  -wi----- 500.00m

You need to activate the logical volumes, because they weren't mounted from fstab at bootup.

lvm> vgchange -a y
3 logical volume(s) in volume group "cvg" now active
lvm> lvscan
ACTIVE            '/dev/cvg/swap' [500.00 MiB] inherit
ACTIVE            '/dev/cvg/root' [4.00 GiB] inherit
ACTIVE            '/dev/cvg/home' [2.85 GiB] inherit
lvm> lvs
LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
home cvg  -wi-a---   2.85g
root cvg  -wi-a---   4.00g
swap cvg  -wi-a--- 500.00m
lvm> quit
Exiting.
(initramfs) exit

After the system finishes booting, login as root, fix fstab, and rewrite initramfs.

# nano /etc/fstab
......................................................................
proc                  /proc       proc    defaults          0        0
/dev/mmcblk0p1        /boot       vfat    defaults          0        2
/dev/mapper/cvg-root  /           ext4    defaults,noatime  0        1
/dev/mapper/cvg-home  /home       ext4    defaults          0        2
/dev/mapper/cvg-swap  none        swap    sw                0        0
......................................................................
# mount /dev/mmcblk0p1 /mnt/boot
# mkinitramfs -o /mnt/boot/initramfs.gz

You need to remove and reinstall sudo, in order to fix a setuid glitch introduced by the process.

# apt-get remove sudo
# apt-get install sudo
# reboot

Now login as user "pi", and confirm that sudo works, that logical volumes are active (Attr ....a...), and that all filesystems have been mounted (Attr .....o..).

$ sudo su
# lvm
lvm> lvs
LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
home cvg  -wi-ao--   2.85g
root cvg  -wi-ao--   4.00g
swap cvg  -wi-ao-- 500.00m
lvm> quit

And that's it. You are done creating gatewaysd.

# shutdown -hP now

After creating workspacesd, setup the gateway with an iVPN (etc) client and Tor.

Setup dm-crypt/LUKS and LVM2 on 32GB workspacesd

You will be backing up ~4GB from workspacesd to another device on <192.168.1.0/24>, so make sure that there's enough space on the backup target. I assume here that it's at <192.168.1.101>.

Boot bootsd with workspacesd in a USB adapter, login as pi, and backup to a target computer on LAN. The bootsd /boot and / filesystems are at /dev/mmcblk0p1 and /dev/mmcblk0p2, respectively, so workspacesd is at /dev/sda.

$ sudo mount /dev/sda2 /mnt/usb
$ sudo rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt/usb/ user@192.168.1.101:/home/user/backup/root/
$ sudo umount /mnt/usb

Now tweak the backup on the target:

$ mv /home/user/backup/root/home /home/user/backup/home
$ mkdir /home/user/backup/root/home

Back on the Pi, wipe the initial root partition. Then encrypt, and configure LVM2.

$ sudo dcfldd if=/dev/urandom of=/dev/sda2
$ sudo cryptsetup luksFormat --verify-passphrase /dev/sda2
$ sudo cryptsetup luksOpen /dev/sda2 crypt
$ sudo service lvm2 start
$ sudo pvcreate /dev/mapper/crypt
$ sudo vgcreate cvg /dev/mapper/crypt
$ sudo lvcreate -L 500M cvg -n swap
$ sudo lvcreate -L 6G cvg -n root
$ sudo lvcreate -l +100%FREE cvg -n home

Now setup logical volumes, create mount points, and mount them.

$ sudo mkswap -L swap /dev/mapper/cvg-swap
$ sudo mkfs.ext4 /dev/mapper/cvg-root
$ sudo mkfs.ext4 /dev/mapper/cvg-home
$ sudo mkdir /mnt/boot
$ sudo mkdir /mnt/root
$ sudo mkdir /mnt/home
$ sudo mount /dev/sda1 /mnt/boot
$ sudo mount /dev/mapper/cvg-root /mnt/root
$ sudo mount /dev/mapper/cvg-home /mnt/home

Then restore from the backup.

$ sudo rsync -aAXv user@192.168.1.101:/home/user/Pi_Stuff/pione_backup_home/ /mnt/home/
$ sudo rsync -aAXv user@192.168.1.101:/home/user/Pi_Stuff/pione_backup/ /mnt/root/
$ sudo chown -R root:root /mnt/root

Now tweak cmdline.txt.

$ sudo nano /mnt/boot/cmdline.txt
..............................................................................................................................................................
dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 root=/dev/mapper/cvg-root cryptdevice=/dev/mmcblk0p2:crypt rootfstype=ext4 elevator=deadline rootwait
..............................................................................................................................................................

Also tweak (crudely, for now) fstab.

$ sudo nano /mnt/root/etc/fstab
.......................................................................
proc                               proc     defaults          0       0
/dev/mmcblk0p1     /boot           vfat     defaults          0       2
/dev/mapper/crypt  /               ext4     defaults,noatime  0       1
.......................................................................

And tweak crypttab (which is tab-delimited).

$ sudo nano /mnt/root/etc/crypttab
....................................
crypt   /dev/mmcblk0p2  none    luks
....................................

Then unmount stuff and shutdown.

$ sudo umount /mnt/boot
$ sudo umount /mnt/root
$ sudo umount /mnt/home
$ sudo service lvm2 stop
$ sudo shutdown -hP now

Now boot workspacesd and fix stuff. The first boot will fail, and you will drop into (initramfs).

(initramfs) cryptsetup luksOpen /dev/mmcblk0p2 crypt
(initramfs) lvm
lvm> lvscan
inactive           '/dev/cvg/swap' [500.00 MiB] inherit
inactive           '/dev/cvg/root' [6.00 GiB] inherit
inactive           '/dev/cvg/home' [23.17 GiB] inherit
lvm> lvs
LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
home cvg  -wi-----  23.17g
root cvg  -wi-----   6.00g
swap cvg  -wi----- 500.00m

You need to activate the logical volumes, because they weren't mounted from fstab at bootup.

lvm> vgchange -a y
3 logical volume(s) in volume group "cvg" now active
lvm> lvscan
ACTIVE            '/dev/cvg/swap' [500.00 MiB] inherit
ACTIVE            '/dev/cvg/root' [6.00 GiB] inherit
ACTIVE            '/dev/cvg/home' [23.17 GiB] inherit
lvm> lvs
LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
home cvg  -wi-a---  23.17g
root cvg  -wi-a---   6.00g
swap cvg  -wi-a--- 500.00m
lvm> quit
Exiting.
(initramfs) exit

After the system finishes booting, login as root, fix fstab, and rewrite initramfs.

# nano /etc/fstab
......................................................................
proc                  /proc       proc    defaults          0        0
/dev/mmcblk0p1        /boot       vfat    defaults          0        2
/dev/mapper/cvg-root  /           ext4    defaults,noatime  0        1
/dev/mapper/cvg-home  /home       ext4    defaults          0        2
/dev/mapper/cvg-swap  none        swap    sw                0        0
......................................................................
# mount /dev/mmcblk0p1 /mnt/boot
# mkinitramfs -o /mnt/boot/initramfs.gz

You need to remove and reinstall sudo, in order to fix a setuid glitch introduced by the process.

# apt-get remove sudo
# apt-get install sudo
# reboot

Now login as user "pi", and confirm that sudo works, that logical volumes are active (Attr ....a...), and that all filesystems have been mounted (Attr .....o..).

$ sudo su
# lvm
lvm> lvs
LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
home cvg  -wi-ao--   2.85g
root cvg  -wi-ao--   4.00g
swap cvg  -wi-ao-- 500.00m
lvm> quit

Now start the configuration app.

$ sudo raspi-config

"Enable Boot to Desktop", tab to "Finish" and let the Pi reboot.

And that's it. You are done creating workspacesd.

$ sudo shutdown -hP now

Now setup the workspace with Tor Browser and other apps.