Create bootsd
In order to configure LUKS and LVM2 on an existing Raspbian wheezy system, you must mount the system read-only. So first, you need a Raspbian wheezy system in which to mount it. Working in Debian wheezy, download the archived Raspbian wheezy image. Extract the image, and write it to an 8GB class 10 microSDHC card. When you insert the card, it will probably be mounted. Assuming that your system is on /dev/sda, first unmount /dev/sdb1.
$ sudo umount /dev/sdb1
Then write the image to the microSDHC card.
$ sudo dd bs=4M if=/home/user/Pi_Stuff/2015-02-16-raspbian-wheezy.img of=/dev/sdb
Now put the card in your Pi 2, and powerup by attaching the micro-USB power cable. At first boot, you get the raspi-config screen. Select "Expand Filesystem" to expand the image to fill your SD card. Then select "Change User Password" (default being "raspberry"). Select "Internationalisation Options" to configure language, timezone and keyboard layout. Using "Advanced Options", change the hostname (perhaps to "bootsd") and enable SSH server. Also "Enable Boot to Desktop", because that will facilitate setup. You can later switch back to text console, if you like. Finally, tab to "Finish", let the Pi reboot, and login as user pi.
If you haven't updated the Pi's firmware recently, do so, and then let the Pi reboot.
$ sudo rpi-update
First configure eth0. You'll be backing up and restoring files via SSH, so it's best to have a static IP address. This assumes that your LAN is on <192.168.1.0/24>.
$ sudo nano /etc/network/interfaces
........................
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
........................
$ sudo ifdown eth0
$ sudo ifup eth0
$ sudo ifconfig
=> 192.168.1.2
Add some DNS servers (here OpenDNS).
$ sudo nano /etc/resolv.conf
.........................
domain localdomain
search localdomain
nameserver 208.67.220.220
nameserver 208.67.222.222
.........................
Update the package lists, do dist-upgrade, and install required packages.
$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install cryptsetup
$ sudo apt-get install lvm2
$ sudo apt-get install dcfldd
$ sudo reboot
$ sudo shutdown -hP now
Create gatewaysd Image
Flash another 8GB class 10 microSDHC card as above. Complete the raspi-config utility as above, except change the hostname here to gatewaysd. Then let the Pi reboot, and login as user pi. Configure eth0 and DNS servers as above. Then as above, update the package lists, do dist-upgrade, install required packages, and reboot.
Now set a root password, create initramfs, enable in /boot/config.txt, and shutdown. You will need to login to (initramfs) as root to setup LUKS and LVM2.
$ sudo passwd
$ sudo mkinitramfs -o /boot/initramfs.gz
$ sudo nano /boot/config.txt
...................................
...
initramfs initramfs.gz followkernel
...................................
$ sudo shutdown -hP now
Create workspacesd Image
Flash a 32GB class 10 microSDHC card as above. Complete the raspi-config utility as above, except change the hostname here to workspacesd. Then let the Pi reboot, and login as user pi. Configure eth0 and DNS servers as above. Then as above, update the package lists, do dist-upgrade, install required packages, and reboot.
Now set a root password, create initramfs, enable in /boot/config.txt, and shutdown. You will need to login to (initramfs) as root to setup LUKS and LVM2.
$ sudo passwd
$ sudo mkinitramfs -o /boot/initramfs.gz
$ sudo nano /boot/config.txt
...................................
...
initramfs initramfs.gz followkernel
...................................
$ sudo shutdown -hP now
Setup dm-crypt/LUKS and LVM2 on 8GB gatewaysd
You will be backing up ~4GB from gatewaysd to another device on <192.168.1.0/24>, so make sure that there's enough space on the backup target. After finishing gatewaysd, you can delete the backup before repeating the process for workspacesd. I assume here that it's at <192.168.1.101>.
Boot bootsd with gatewaysd in a USB adapter, login as pi, and backup to a target computer on LAN. The bootsd /boot and / filesystems are at /dev/mmcblk0p1 and /dev/mmcblk0p2, respectively, so gatewaysd is at /dev/sda.
$ sudo mount /dev/sda2 /mnt/usb
$ sudo rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt/usb/ user@192.168.1.101:/home/user/backup/root/
$ sudo umount /mnt/usb
Now tweak the backup on the target:
$ mv /home/user/backup/root/home /home/user/backup/home
$ mkdir /home/user/backup/root/home
Back on the Pi, wipe the initial root partition. Then encrypt, and configure LVM2.
$ sudo dcfldd if=/dev/urandom of=/dev/sda2
$ sudo cryptsetup luksFormat --verify-passphrase /dev/sda2
$ sudo cryptsetup luksOpen /dev/sda2 crypt
$ sudo service lvm2 start
$ sudo pvcreate /dev/mapper/crypt
$ sudo vgcreate cvg /dev/mapper/crypt
$ sudo lvcreate -L 500M cvg -n swap
$ sudo lvcreate -L 4G cvg -n root
$ sudo lvcreate -l +100%FREE cvg -n home
Now setup logical volumes, create mount points, and mount them.
$ sudo mkswap -L swap /dev/mapper/cvg-swap
$ sudo mkfs.ext4 /dev/mapper/cvg-root
$ sudo mkfs.ext4 /dev/mapper/cvg-home
$ sudo mkdir /mnt/boot
$ sudo mkdir /mnt/root
$ sudo mkdir /mnt/home
$ sudo mount /dev/sda1 /mnt/boot
$ sudo mount /dev/mapper/cvg-root /mnt/root
$ sudo mount /dev/mapper/cvg-home /mnt/home
Then restore from the backup.
$ sudo rsync -aAXv user@192.168.1.101:/home/user/Pi_Stuff/pione_backup_home/ /mnt/home/
$ sudo rsync -aAXv user@192.168.1.101:/home/user/Pi_Stuff/pione_backup/ /mnt/root/
$ sudo chown -R root:root /mnt/root
Now tweak cmdline.txt.
$ sudo nano /mnt/boot/cmdline.txt
..............................................................................................................................................................
dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 root=/dev/mapper/cvg-root cryptdevice=/dev/mmcblk0p2:crypt rootfstype=ext4 elevator=deadline rootwait
..............................................................................................................................................................
Also tweak (crudely, for now) fstab.
$ sudo nano /mnt/root/etc/fstab
.......................................................................
proc proc defaults 0 0
/dev/mmcblk0p1 /boot vfat defaults 0 2
/dev/mapper/crypt / ext4 defaults,noatime 0 1
.......................................................................
And tweak crypttab (which is tab-delimited).
$ sudo nano /mnt/root/etc/crypttab
....................................
crypt /dev/mmcblk0p2 none luks
....................................
Then unmount stuff and shutdown.
$ sudo umount /mnt/boot
$ sudo umount /mnt/root
$ sudo umount /mnt/home
$ sudo service lvm2 stop
$ sudo shutdown -hP now
Now boot gatewaysd and fix stuff. The first boot will fail, and you will drop into (initramfs).
(initramfs) cryptsetup luksOpen /dev/mmcblk0p2 crypt
(initramfs) lvm
lvm> lvscan
inactive '/dev/cvg/swap' [500.00 MiB] inherit
inactive '/dev/cvg/root' [4.00 GiB] inherit
inactive '/dev/cvg/home' [2.85 GiB] inherit
lvm> lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
home cvg -wi----- 2.85g
root cvg -wi----- 4.00g
swap cvg -wi----- 500.00m
You need to activate the logical volumes, because they weren't mounted from fstab at bootup.
lvm> vgchange -a y
3 logical volume(s) in volume group "cvg" now active
lvm> lvscan
ACTIVE '/dev/cvg/swap' [500.00 MiB] inherit
ACTIVE '/dev/cvg/root' [4.00 GiB] inherit
ACTIVE '/dev/cvg/home' [2.85 GiB] inherit
lvm> lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
home cvg -wi-a--- 2.85g
root cvg -wi-a--- 4.00g
swap cvg -wi-a--- 500.00m
lvm> quit
Exiting.
(initramfs) exit
After the system finishes booting, login as root, fix fstab, and rewrite initramfs.
# nano /etc/fstab
......................................................................
proc /proc proc defaults 0 0
/dev/mmcblk0p1 /boot vfat defaults 0 2
/dev/mapper/cvg-root / ext4 defaults,noatime 0 1
/dev/mapper/cvg-home /home ext4 defaults 0 2
/dev/mapper/cvg-swap none swap sw 0 0
......................................................................
# mount /dev/mmcblk0p1 /mnt/boot
# mkinitramfs -o /mnt/boot/initramfs.gz
You need to remove and reinstall sudo, in order to fix a setuid glitch introduced by the process.
# apt-get remove sudo
# apt-get install sudo
# reboot
Now login as user "pi", and confirm that sudo works, that logical volumes are active (Attr ....a...), and that all filesystems have been mounted (Attr .....o..).
$ sudo su
# lvm
lvm> lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
home cvg -wi-ao-- 2.85g
root cvg -wi-ao-- 4.00g
swap cvg -wi-ao-- 500.00m
lvm> quit
And that's it. You are done creating gatewaysd.
# shutdown -hP now
After creating workspacesd, setup the gateway with an iVPN (etc) client and Tor.
Setup dm-crypt/LUKS and LVM2 on 32GB workspacesd
You will be backing up ~4GB from workspacesd to another device on <192.168.1.0/24>, so make sure that there's enough space on the backup target. I assume here that it's at <192.168.1.101>.
Boot bootsd with workspacesd in a USB adapter, login as pi, and backup to a target computer on LAN. The bootsd /boot and / filesystems are at /dev/mmcblk0p1 and /dev/mmcblk0p2, respectively, so workspacesd is at /dev/sda.
$ sudo mount /dev/sda2 /mnt/usb
$ sudo rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt/usb/ user@192.168.1.101:/home/user/backup/root/
$ sudo umount /mnt/usb
Now tweak the backup on the target:
$ mv /home/user/backup/root/home /home/user/backup/home
$ mkdir /home/user/backup/root/home
Back on the Pi, wipe the initial root partition. Then encrypt, and configure LVM2.
$ sudo dcfldd if=/dev/urandom of=/dev/sda2
$ sudo cryptsetup luksFormat --verify-passphrase /dev/sda2
$ sudo cryptsetup luksOpen /dev/sda2 crypt
$ sudo service lvm2 start
$ sudo pvcreate /dev/mapper/crypt
$ sudo vgcreate cvg /dev/mapper/crypt
$ sudo lvcreate -L 500M cvg -n swap
$ sudo lvcreate -L 6G cvg -n root
$ sudo lvcreate -l +100%FREE cvg -n home
Now setup logical volumes, create mount points, and mount them.
$ sudo mkswap -L swap /dev/mapper/cvg-swap
$ sudo mkfs.ext4 /dev/mapper/cvg-root
$ sudo mkfs.ext4 /dev/mapper/cvg-home
$ sudo mkdir /mnt/boot
$ sudo mkdir /mnt/root
$ sudo mkdir /mnt/home
$ sudo mount /dev/sda1 /mnt/boot
$ sudo mount /dev/mapper/cvg-root /mnt/root
$ sudo mount /dev/mapper/cvg-home /mnt/home
Then restore from the backup.
$ sudo rsync -aAXv user@192.168.1.101:/home/user/Pi_Stuff/pione_backup_home/ /mnt/home/
$ sudo rsync -aAXv user@192.168.1.101:/home/user/Pi_Stuff/pione_backup/ /mnt/root/
$ sudo chown -R root:root /mnt/root
Now tweak cmdline.txt.
$ sudo nano /mnt/boot/cmdline.txt
..............................................................................................................................................................
dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 root=/dev/mapper/cvg-root cryptdevice=/dev/mmcblk0p2:crypt rootfstype=ext4 elevator=deadline rootwait
..............................................................................................................................................................
Also tweak (crudely, for now) fstab.
$ sudo nano /mnt/root/etc/fstab
.......................................................................
proc proc defaults 0 0
/dev/mmcblk0p1 /boot vfat defaults 0 2
/dev/mapper/crypt / ext4 defaults,noatime 0 1
.......................................................................
And tweak crypttab (which is tab-delimited).
$ sudo nano /mnt/root/etc/crypttab
....................................
crypt /dev/mmcblk0p2 none luks
....................................
Then unmount stuff and shutdown.
$ sudo umount /mnt/boot
$ sudo umount /mnt/root
$ sudo umount /mnt/home
$ sudo service lvm2 stop
$ sudo shutdown -hP now
Now boot workspacesd and fix stuff. The first boot will fail, and you will drop into (initramfs).
(initramfs) cryptsetup luksOpen /dev/mmcblk0p2 crypt
(initramfs) lvm
lvm> lvscan
inactive '/dev/cvg/swap' [500.00 MiB] inherit
inactive '/dev/cvg/root' [6.00 GiB] inherit
inactive '/dev/cvg/home' [23.17 GiB] inherit
lvm> lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
home cvg -wi----- 23.17g
root cvg -wi----- 6.00g
swap cvg -wi----- 500.00m
You need to activate the logical volumes, because they weren't mounted from fstab at bootup.
lvm> vgchange -a y
3 logical volume(s) in volume group "cvg" now active
lvm> lvscan
ACTIVE '/dev/cvg/swap' [500.00 MiB] inherit
ACTIVE '/dev/cvg/root' [6.00 GiB] inherit
ACTIVE '/dev/cvg/home' [23.17 GiB] inherit
lvm> lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
home cvg -wi-a--- 23.17g
root cvg -wi-a--- 6.00g
swap cvg -wi-a--- 500.00m
lvm> quit
Exiting.
(initramfs) exit
After the system finishes booting, login as root, fix fstab, and rewrite initramfs.
# nano /etc/fstab
......................................................................
proc /proc proc defaults 0 0
/dev/mmcblk0p1 /boot vfat defaults 0 2
/dev/mapper/cvg-root / ext4 defaults,noatime 0 1
/dev/mapper/cvg-home /home ext4 defaults 0 2
/dev/mapper/cvg-swap none swap sw 0 0
......................................................................
# mount /dev/mmcblk0p1 /mnt/boot
# mkinitramfs -o /mnt/boot/initramfs.gz
You need to remove and reinstall sudo, in order to fix a setuid glitch introduced by the process.
# apt-get remove sudo
# apt-get install sudo
# reboot
Now login as user "pi", and confirm that sudo works, that logical volumes are active (Attr ....a...), and that all filesystems have been mounted (Attr .....o..).
$ sudo su
# lvm
lvm> lvs
LV VG Attr LSize Pool Origin Data% Move Log Copy% Convert
home cvg -wi-ao-- 2.85g
root cvg -wi-ao-- 4.00g
swap cvg -wi-ao-- 500.00m
lvm> quit
Now start the configuration app.
$ sudo raspi-config
"Enable Boot to Desktop", tab to "Finish" and let the Pi reboot.
And that's it. You are done creating workspacesd.
$ sudo shutdown -hP now