poniedziałek, 28 listopada 2022

COOLDays 2022 - Berlin

This year Collabora Productivity organized hybrid conference in Berlin. I've participated virtually by presenting video with recent improvements in JSDialogs which provides dialogs knwon from the LibreOffice for Collabora Online. Second talk was a short case study / tutorial how to add new component based on a mentioned framework.

sobota, 12 listopada 2022

Raspberry Pi OS with LUKS

Short notes with setup for working remote LUKS decrypt. Unofrtunately after cryptroot-unlock success it shutdowns the system :) Maybe I will try again when will find some time.
    1. Burn Rasberry Pi OS Lite image

    2. Create additional partition for encrypted root partition.

    3. Update and restart:
    apt-get update && apt-get upgrade
    sudo shutdown -r now
    4. Install deps:
    apt-get install busybox cryptsetup dropbear-initramfs lvm2
    5. Prepare partition:
    cryptsetup -v -y --cipher aes-xts-plain64 --key-size 256 luksFormat <newroot>
    cryptsetup -v luksOpen <newroot> sdcard
    mkfs.ext4 /dev/mapper/sdcard
    cryptsetup luksClose /dev/mapper/sdcard
    6. Configure partition in the system: check :
    blkid | grep crypto_LUKS
    open /etc/crypttab and add:
    sdcard    <newroot>    none    luks,initramfs
    open /etc/fstab and replace original root partition with:
    /dev/mapper/sdcard      /       ext4    defaults        0       1
    open /boot/cmdline.txt and replace existing partition config with:
    root=/dev/mapper/sdcard cryptdevice=<newroot>:sdcard
    also add at the end of the same file dhcp configuration:
    7. Configure early decryption:
    echo 'DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"' > /etc/dropbear-initramfs/config
    echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook
    8. Fix issue with short timeout for decryption:
    sed -i 's/^TIMEOUT=.*/TIMEOUT=100/g' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
    9. Configure early remote access over SSH:
    touch /boot/ssh
    echo '<your_public_ssh_key>' > /etc/dropbear-initramfs/authorized_keys
    10. Copy files from original root partition to the new encrypted partition. 11. Generate initramfs:
    sudo mkinitramfs -o /boot/initramfs.gz
    echo "initramfs initramfs.gz" >> /boot/config.txt
    12. Reboot and try to connect remotely. Configs for ssh:
    Host pi
        HostName <ip>
        User user
        PreferredAuthentications password
    Host pi-enable
        HostName <ip>
        User root
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null
        IdentityFile ~/.ssh/<your_public_ssh_key>