machizero Installation: Full Handbook

Installation Prerequisites

TODO (Installation Prerequisites content)

LUKS on raw disks

Important
Under construction

Prepare an USB Key with a FAT32 EFI system partition

Identify the USB Key device path by lsblk. (e.g. /dev/sdc)

root #lsblk --width 999 --output PATH,VENDOR,SERIAL,TRAN,TYPE,SIZE,MOUNTPOINT,PTTYPE,PARTTYPENAME,PARTLABEL,FSTYPE

PATH      VENDOR   SERIAL           TRAN   TYPE   SIZE MOUNTPOINT PTTYPE PARTTYPENAME     PARTLABEL FSTYPE
/dev/sda  ATA      WD-WMXXXXXXXX66  sata   disk 298.1G            dos                               
/dev/sda1                                  part   100M            dos    HPFS/NTFS/exFAT            ntfs
/dev/sda2                                  part   298G            dos    HPFS/NTFS/exFAT            ntfs
/dev/sdb  Seagate  S2XXXXXXXXXX22   usb    disk 931.5G            gpt                               
/dev/sdb1                                  part   256M /boot      gpt    EFI System                 vfat
/dev/sdb2                                  part    32G [SWAP]     gpt    Linux swap                 swap
/dev/sdb3                                  part 899.3G /          gpt    Linux filesystem           ext4
/dev/sdc  SanDisk  00XXXXXXXXXXXX61 usb    disk   1.9G            gpt                               
/dev/sdc1                                  part   1.9G            gpt    EFI System       primary   vfat

(If necessary) Format the USB Key

If there is no EFI System partition on the USB Key, it must be formatted.

mount the partition(s) to check if data is necessary to backup before proceed.

root #mkdir --parents --verbose /tmp/efiboot

mkdir: created directory '/tmp/efiboot'

root #mount --verbose /dev/sdc1 /tmp/efiboot

mount: /dev/sdc1 mounted on /tmp/efiboot.

root #ls --almost-all --classify=always -l /tmp/efiboot

total 77,000,704
drwxr-xr-x 3 root root      4,096 Aug 17  2022 efi/
-rwxr-xr-x 1 root root 16,777,216 Jun 19  2022 LUKS.ADATA_SU650_2LXXXXXXXXC1_20220619.header*
-rwxr-xr-x 1 root root 16,777,216 Jun 19  2022 LUKS.ADATA_SU650_2LXXXXXXXXC1_20220619.header.bak20220619*
-rwxr-xr-x 1 root root 16,777,216 Jun 19  2022 LUKS.ADATA_SU650_2LXXXXXXXXK7_20220619.header*
-rwxr-xr-x 1 root root 16,777,216 Jun 19  2022 LUKS.ADATA_SU650_2LXXXXXXXXK7_20220619.header.bak20220619*
...
...

After checking and backup, umount the USB Key.

root #cd && umount --verbose /tmp/efiboot

umount: /tmp/efiboot unmounted

Warning
The following command will delete everything on the drive. Make sure the device path (e.g. /dev/sdc) is correct. Perform backup before proceed if necessary.

Use parted to manage the partition(s) of the USB Key.

root #parted --align optimal /dev/sdX

GNU Parted 3.5
Using /dev/sdc
Welcome to GNU Parted! Type 'help' to view a list of commands.

root #parted --align optimal /dev/sdc print free

Model: SanDisk U3 Cruzer Micro (scsi)
Disk /dev/sdc: 2055MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name     Flags
        17.4kB  1049kB  1031kB  Free Space
 1      1049kB  2054MB  2053MB  fat32        primary  boot, esp
        2054MB  2055MB  844kB   Free Space

TODO

(parted)mklabel gpt

(parted)mkpart primary fat32 0% 100%

(parted)align-check optimal 1

(parted)set 1 boot on

(parted)print free

(parted)quit

Format the partition into type FAT32.

root #mkfs.fat -F32 /dev/sde1

Note
Commands mkfs.fat and mkfs.vfat are identical.

root #diff --report-identical-files $(which mkfs.fat) $(which mkfs.vfat)

Files /usr/sbin/mkfs.fat and /usr/sbin/mkfs.vfat are identical

root #ls --classify=always -l /usr/sbin/mkfs.{,?}fat

-rwxr-xr-x 1 root root 60,600 May 13  2022 /usr/sbin/mkfs.fat*
lrwxrwxrwx 1 root root      8 May 13  2022 /usr/sbin/mkfs.vfat -> mkfs.fat*

TODO

mount the USB Key's EFI System Partition to /tmp/efiboot

root #mkdir --verbose --parents /tmp/efiboot

mkdir: created directory '/tmp/efiboot'

root #mount --verbose --type vfat /dev/sdc1 /tmp/efiboot

mount: /dev/sdc1 mounted on /tmp/efiboot.

Tip
Resume from reboot? Issue these commands from top until where last left off.

root #mount --verbose --type vfat /dev/sdc1 /tmp/efiboot

Leave for now? Issue these commands way up to the top of the manual.

root #cd && umount --verbose /tmp/efiboot

root #shutdown -h now

root #ls --almost-all --classify=always -l /tmp/efiboot

total 77,000,704
drwxr-xr-x 3 root root      4,096 Aug 17  2022 efi/
-rwxr-xr-x 1 root root 16,777,216 Jun 19  2022 LUKS.ADATA_SU650_2LXXXXXXXXC1_20220619.header*
-rwxr-xr-x 1 root root 16,777,216 Jun 19  2022 LUKS.ADATA_SU650_2LXXXXXXXXC1_20220619.header.bak20220619*
-rwxr-xr-x 1 root root 16,777,216 Jun 19  2022 LUKS.ADATA_SU650_2LXXXXXXXXK7_20220619.header*
-rwxr-xr-x 1 root root 16,777,216 Jun 19  2022 LUKS.ADATA_SU650_2LXXXXXXXXK7_20220619.header.bak20220619*
...
...

Choose the LUKS encryption scheme

Caption text
	machizero scheme	Sakaki's scheme
Keyfile	Argon2id, native in LUKS	AES256 bit key, derived from passphrase (ref) TODO more details
Hard drive	Serpent	Serpent (ref)

Overwrite the hard disk with crypto-grade randomness by cryptsetup

If the drive was in use previously, wipe it to avoid old data on the media be recoverable.

If the drive is brand new, which is most likely all the bits are zeroes. It is also a good idea to fill it up with random bits to prevent usage patterns be revealed.^[1] free space indistinguishable from encrypted data. Free space patterns can be used to derive the type of filesystem in use, which may weaken the encryption.^[2] Moreover, it breaks plausible deniability.

Reference: This method is used in the cryptsetup FAQ item 2.19.^[3]

Warning
The following commands will WIPE everything on the drive. Wiped data is never recoverable by any means. Make sure the device path (e.g. /dev/sdc) is correct. Perform backup before proceed if necessary.

root #cryptsetup open --verbose --type plain --key-file /dev/random /dev/sdX2wipe to_be_wiped

Command successful.

Tip
(Optional) check that cryptsetup creates a link the device mapper.

root #ls -l /dev/mapper

total 0
crw------- 1 root root 10, 236 Nov 19  2023 control
lrwxrwxrwx 1 root root       7 Nov 19 05:41 to_be_wiped -> ../dm-0

(Optional) Briefly check first and last 1024 bytes data in the drive. This example shows the drive is blank.

root #head --byte 1024 /tmp/drive | hexdump -C

00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400

root #tail --byte 1024 /tmp/drive | hexdump -C

00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400

Note
The following command is going to take a considerably long time depending on the size of the hard drive.

root #

printf 'Start: ' ; date ; time { time { cat /dev/zero > /dev/mapper/to_be_wiped ; echo $? ; } && time sync ; } ; printf 'Complete: ' ; date

Tip
(Optional) Briefly check the data in the drive is replaced with random data.

root #head --byte 1024 /tmp/drive | hexdump -C

00000000  a0 39 4b 97 4f d8 25 15  93 29 ce 39 81 73 08 f1  |.9K.O.%..).9.s..|
00000010  09 3a 86 ba 43 d1 f1 40  ca 5a 13 e5 b1 40 d7 c4  |.:..C..@.Z...@..|
00000020  2a 9c 2e 9b ac 3a 3e 3e  93 f2 5e 9d 44 92 27 56  |*....:>>..^.D.'V|
00000030  3f 54 f2 25 cd b8 30 2f  8c 9b 1b 3b af bd f0 81  |?T.%..0/...;....|
00000040  67 d6 17 42 f4 df 41 36  63 2b 72 1f c3 f3 e9 c8  |g..B..A6c+r.....|
00000050  ac fd f5 53 20 ef 80 3b  9c c6 27 07 31 17 76 94  |...S ..;..'.1.v.|
00000060  84 0a cd 1b b8 2e 2b ff  17 6f 3b f5 66 b9 1e cd  |......+..o;.f...|
00000070  31 99 e2 31 aa d3 0b 27  1a 47 3f 70 f2 c5 71 45  |1..1...'.G?p..qE|
00000080  c0 88 64 a3 0b d6 42 c4  12 e7 43 cc 2f 78 93 da  |..d...B...C./x..|
00000090  a3 22 72 e7 08 06 da e5  ff 7b 48 3c c1 c4 08 f8  |."r......{H<....|
000000a0  4d 2b 87 52 e4 2e 33 2a  b2 8e 60 1c 3e 70 d1 f8  |M+.R..3*..`.>p..|
000000b0  e2 91 30 06 03 d7 4a 68  a5 fb b6 75 ca ba 56 72  |..0...Jh...u..Vr|
000000c0  db d9 87 b8 50 18 c2 13  0d c2 b9 58 2b 5d ad c6  |....P......X+]..|
000000d0  7d 40 90 ff ce e0 8d 10  ee a3 e4 d1 7a 08 9a 33  |}@..........z..3|
000000e0  4d a7 93 62 2c 65 bc be  f2 fb 3c ad 83 0c 45 52  |M..b,e....<...ER|
000000f0  3c be 99 3b 09 53 67 a7  32 cf 99 fa 13 99 d4 38  |<..;.Sg.2......8|
00000100  ce 77 de aa 92 85 8c 1c  80 bc 71 fb 83 dd d2 c1  |.w........q.....|
00000110  43 0d a8 96 a4 4e 68 b0  dd 0c 48 73 4b 7c b1 aa  |C....Nh...HsK|..|
00000120  ed ee c9 79 13 cc a7 60  3f 06 f1 4f 4e 26 f3 a1  |...y...`?..ON&..|
00000130  51 74 1f 91 1e 0c e3 87  be 94 93 48 f2 f2 ac ce  |Qt.........H....|
00000140  b8 fb 22 84 96 ee 63 71  fb 0d f9 99 93 ff 37 80  |.."...cq......7.|
00000150  65 ea 11 62 20 77 36 ef  88 ed 19 77 cc fc d6 93  |e..b w6....w....|
00000160  a8 1b 39 64 9d 11 7d 58  ef de 2d bd 32 b8 4c 2e  |..9d..}X..-.2.L.|
00000170  86 bc 7c 54 02 cd 27 52  96 fd 72 84 33 08 3a 86  |..|T..'R..r.3.:.|
00000180  43 8a e7 10 b7 48 f2 c5  86 59 e9 47 f6 e4 9c 1a  |C....H...Y.G....|
00000190  46 de da 36 dc 08 74 cf  38 7f 16 43 f0 8b f8 c9  |F..6..t.8..C....|
000001a0  49 9a f4 7e 7a cb 25 1c  4a f2 8c 2c 68 65 41 41  |I..~z.%.J..,heAA|
000001b0  e9 74 39 65 ca 86 3e 05  28 ba e0 84 1d 9b bf 08  |.t9e..>.(.......|
000001c0  7a 0e 68 4d f1 7c 41 8e  fb 71 32 94 ce 09 86 b3  |z.hM.|A..q2.....|
000001d0  9d 2e 26 fe 82 5f 59 25  6b 97 20 c2 cb 07 79 60  |..&.._Y%k. ...y`|
000001e0  7d bc f5 8e 86 6c a7 09  c8 0c 04 90 87 0d d6 c6  |}....l..........|
000001f0  ae 14 bb 90 79 06 fa ad  d1 60 5e 55 e4 01 a8 ae  |....y....`^U....|
00000200  d1 dc 9e 72 04 f7 0c 12  10 14 ed 2f 38 f7 74 89  |...r......./8.t.|
00000210  15 70 66 16 f4 04 ff a4  98 a5 42 77 3a 31 27 b9  |.pf.......Bw:1'.|
00000220  58 da c8 8a 2c 7a 86 8a  e3 9a db 63 1a 86 78 ae  |X...,z.....c..x.|
00000230  c9 e9 5c c9 f1 b8 ee e4  99 08 af 03 4c 00 a9 a9  |..\.........L...|
00000240  ba 4c 91 37 e2 b6 62 76  d4 78 3c 18 ed 21 7b 5a  |.L.7..bv.x<..!{Z|
00000250  09 6f 56 eb 44 9e e5 9b  7f e0 52 f5 1f 9f 04 a9  |.oV.D.....R.....|
00000260  3b 6d 39 94 f5 1b 4c 65  ac e6 68 6f 9c 8f f2 67  |;m9...Le..ho...g|
00000270  2e 89 77 4a de 28 bb 92  42 91 ee 1c ec 4a 49 66  |..wJ.(..B....JIf|
00000280  34 d9 7b 77 26 f5 4d a1  9f 0a fb e6 43 ad a7 75  |4.{w&.M.....C..u|
00000290  80 ef 9f 55 05 7b b0 f1  3c 25 f0 e6 09 88 ee 13  |...U.{..<%......|
000002a0  5f 0e 8e 67 5e 67 56 88  d5 06 b0 f7 da 0c d5 ca  |_..g^gV.........|
000002b0  b8 c7 3c 28 07 b1 27 d2  a3 d4 ce 0a ed 81 7a d3  |..<(..'.......z.|
000002c0  27 34 53 ba db 99 56 02  09 c0 07 71 80 9a 11 d4  |'4S...V....q....|
000002d0  fe ab a0 df 71 b1 a8 06  52 4e f0 1e c9 51 6f 95  |....q...RN...Qo.|
000002e0  97 51 58 65 86 2a ea 75  63 a8 43 9d 2e 97 70 8b  |.QXe.*.uc.C...p.|
000002f0  d6 33 3d 10 6b 32 26 d6  58 4a 7d 1c 8f 44 34 f5  |.3=.k2&.XJ}..D4.|
00000300  a3 61 fb b8 0d 8b 7c 4c  92 f6 6c 57 4c e2 38 44  |.a....|L..lWL.8D|
00000310  06 6b e9 52 e3 11 bb d0  8e 6c 04 c2 8e e4 26 20  |.k.R.....l....& |
00000320  cc 9c c4 75 0d 53 e1 73  4c f1 db 4a 8d a4 e6 eb  |...u.S.sL..J....|
00000330  9a e7 d5 2f fc ee 45 f2  3f 09 80 2d 24 34 5f 0c  |.../..E.?..-$4_.|
00000340  ab 91 48 36 10 59 11 94  e9 f7 cf dc 19 40 10 9e  |..H6.Y.......@..|
00000350  a7 73 0c 6e af 58 49 84  af 71 81 19 55 77 a7 c0  |.s.n.XI..q..Uw..|
00000360  ff 4d 0c 48 3b ae 77 b1  2a 6b 9a 2e 18 98 59 64  |.M.H;.w.*k....Yd|
00000370  c5 b5 b7 ae 6c f7 c6 c7  9a e9 12 c7 84 0e 26 21  |....l.........&!|
00000380  eb 52 22 a8 6f d2 73 c3  8b 20 0d b7 cb f8 de 64  |.R".o.s.. .....d|
00000390  ba f5 6e 88 4e d4 f9 39  40 d3 6b de d5 a9 02 54  |..n.N..9@.k....T|
000003a0  6a 05 b4 63 e7 19 03 c9  5c a8 0f ea 09 9b 7e 99  |j..c....\.....~.|
000003b0  a7 cf 9d 7e cd 8e 87 ec  63 50 bb a2 b3 f2 13 88  |...~....cP......|
000003c0  36 5e 56 c2 d8 4b 15 81  76 32 85 81 d4 67 8f 89  |6^V..K..v2...g..|
000003d0  b1 82 d0 93 5b 08 15 eb  83 d2 2e af ee c6 19 7c  |....[..........||
000003e0  bd 78 c9 cc 74 30 23 3b  6b e9 dc b6 da c4 62 ca  |.x..t0#;k.....b.|
000003f0  bf 62 09 ef 19 f4 db 10  15 f8 88 60 a1 01 36 31  |.b.........`..61|
00000400

root #tail --byte 1024 /tmp/drive | hexdump -C

00000000  be eb b5 42 90 ee 66 70  de 9c b3 98 78 ad a4 14  |...B..fp....x...|
00000010  ba d2 e4 d3 ed 5e ad a7  a4 e4 98 73 be 3a c2 65  |.....^.....s.:.e|
00000020  01 47 01 3b f7 57 5b 4a  99 f6 53 13 a6 d5 63 cb  |.G.;.W[J..S...c.|
00000030  ad 75 bb d8 9b 38 83 92  ee da e6 43 a0 6f e2 41  |.u...8.....C.o.A|
00000040  61 b0 81 44 39 8b d8 93  3d 07 bc 1a 32 42 4e 85  |a..D9...=...2BN.|
00000050  0b dc ca 1b ba 77 fa cd  3d 12 d8 18 85 df 78 bd  |.....w..=.....x.|
00000060  28 0a 69 78 c3 87 53 ea  15 7c e2 71 ce 42 a2 bb  |(.ix..S..|.q.B..|
00000070  37 c3 cb 23 23 95 39 81  aa 4f 68 90 15 d5 8f ab  |7..##.9..Oh.....|
00000080  e5 04 b8 7d 5a 48 63 a2  a7 46 d0 2c 1b db 98 db  |...}ZHc..F.,....|
00000090  08 66 19 f9 0f 85 54 65  fb 09 10 46 e7 6b a5 72  |.f....Te...F.k.r|
000000a0  77 03 6d 65 3b 15 99 ad  93 48 00 0b 1b c4 c6 6e  |w.me;....H.....n|
000000b0  c9 70 bc 73 10 40 17 9e  3a 2e 53 6c 83 a2 85 69  |.p.s.@..:.Sl...i|
000000c0  c4 65 2c ed a7 07 37 fc  07 39 f4 46 66 a0 82 fc  |.e,...7..9.Ff...|
000000d0  d3 3c 4f e7 2e 41 e4 ba  48 35 c7 35 af 67 9f 0e  |.<O..A..H5.5.g..|
000000e0  f0 71 af 82 bd 66 c0 cf  e6 f1 32 62 e4 30 6a 63  |.q...f....2b.0jc|
000000f0  c6 2e 03 4c 44 0e 40 78  b5 de c6 58 c7 a3 fe 2f  |...LD.@x...X.../|
00000100  fa 81 ee 4d f9 9a 8a c0  22 8d 45 b7 b4 ed cd f7  |...M....".E.....|
00000110  e0 13 03 d8 5a 10 28 e1  22 70 7d f5 3a 29 2a 01  |....Z.(."p}.:)*.|
00000120  9c 15 fe 5b c1 c6 13 d1  29 b2 94 d7 e8 e6 c1 5b  |...[....)......[|
00000130  77 17 26 aa 1b e6 fe b1  48 ab 59 6f 44 3f 3f 45  |w.&.....H.YoD??E|
00000140  88 d7 f6 8d ce dd ad a7  88 4c 01 e2 a8 8c 7a 5e  |.........L....z^|
00000150  eb d4 76 3f a5 65 97 0e  35 a6 98 1b 3d 3e 36 53  |..v?.e..5...=>6S|
00000160  95 64 ca b7 0d aa fa 59  f8 e5 b4 de 36 01 f7 73  |.d.....Y....6..s|
00000170  48 4e c7 b9 d9 6b 9c c6  55 ce 47 ef 3a 90 1d bc  |HN...k..U.G.:...|
00000180  c0 bb 86 b6 ea d2 a9 93  31 01 d1 2f d0 78 95 db  |........1../.x..|
00000190  d1 d0 1f 2e 97 10 01 f9  99 b5 64 7e fb 4d 9e 33  |..........d~.M.3|
000001a0  20 dc 4f 18 2b 28 6e 50  2e 18 c0 bd 52 77 55 2b  | .O.+(nP....RwU+|
000001b0  ce 02 11 be 52 bc 2f 43  b8 8d 3e e3 c1 1e b7 34  |....R./C..>....4|
000001c0  0f 32 7f f3 32 d9 a8 e7  8c 5f 8d 74 a2 9a d2 14  |.2..2...._.t....|
000001d0  e1 bb 60 ae 19 39 3e 93  84 f6 05 1c 70 d2 72 bf  |..`..9>.....p.r.|
000001e0  46 93 31 55 b1 d0 e1 bc  0c dd c1 33 79 23 1c d3  |F.1U.......3y#..|
000001f0  93 10 09 93 75 e2 20 bf  cc 52 ec c2 83 b1 29 d2  |....u. ..R....).|
00000200  27 f3 a3 6a 76 27 79 8e  6e ca c5 d4 d0 65 07 ad  |'..jv'y.n....e..|
00000210  ab ac 96 e5 95 09 2c 07  11 8e 79 72 9d 21 01 5f  |......,...yr.!._|
00000220  1b ea 2d 50 5d 01 1b 40  91 02 e8 72 1b 79 b3 58  |..-P]..@...r.y.X|
00000230  75 fb 82 f1 18 de 70 d5  27 d8 f7 f8 e6 c9 14 dd  |u.....p.'.......|
00000240  7a 66 47 27 3d 28 4f e9  8b 1b d4 40 9a 41 0e 08  |zfG'=(O....@.A..|
00000250  e8 66 c6 45 62 2b 98 cb  92 0d 98 41 c4 f4 4a cd  |.f.Eb+.....A..J.|
00000260  5c 23 a7 c0 f6 05 06 9b  66 bc 44 d7 2d 54 b6 ac  |\#......f.D.-T..|
00000270  9c 9c 71 29 d6 e2 62 7f  bf 1e 31 99 4c 58 1f 60  |..q)..b...1.LX.`|
00000280  0e e8 33 ff 8b fe bf ff  57 9f 83 4b 7d 34 42 ca  |..3.....W..K}4B.|
00000290  60 57 db 97 ac 0a 46 bf  c3 77 2a 1e af fe af 41  |`W....F..w*....A|
000002a0  ca d1 22 aa 39 64 ad 47  25 9d d8 2e 9d d6 e6 22  |..".9d.G%......"|
000002b0  74 21 3c 56 81 55 e0 17  d8 ff b2 a9 b9 0f 78 94  |t!<V.U........x.|
000002c0  bb 2b c5 ea 35 17 fb a9  47 d8 31 30 e3 c6 78 75  |.+..5...G.10..xu|
000002d0  8d 94 97 55 80 60 0d c8  a7 cf df 24 ba cf e0 52  |...U.`.....$...R|
000002e0  16 4e da 6e 3c 4e a7 53  8c 8d 0e bf cb 6f c1 01  |.N.n<N.S.....o..|
000002f0  68 56 7a 0d ac 0d 51 b9  11 33 93 4d dd 29 6c 19  |hVz...Q..3.M.)l.|
00000300  ac 73 28 2a 79 f0 d0 30  47 30 ea a9 dc 0b e0 80  |.s(*y..0G0......|
00000310  59 51 15 72 15 f5 1a 73  89 5c f1 b6 95 3e 8c 0c  |YQ.r...s.\...>..|
00000320  3b 85 56 34 ee db df 5b  9e fb 32 bf 2c b3 83 2e  |;.V4...[..2.,...|
00000330  c1 9d 4c 28 c7 cb 98 39  5a 40 cc 38 fd fa 51 dd  |..L(...9Z@.8..Q.|
00000340  52 81 e5 99 db 80 a3 1d  22 31 ed eb 78 6f 10 f6  |R......."1..xo..|
00000350  a0 66 db b0 98 fb 8d 00  ac 39 7f 35 bc 49 cf 59  |.f.......9.5.I.Y|
00000360  c7 ad 25 35 7d 05 da d2  18 80 93 99 02 6d 57 bb  |..%5}........mW.|
00000370  2d 71 e2 ac 25 34 de 68  4a 73 e9 34 ff 09 c1 44  |-q..%4.hJs.4...D|
00000380  f6 cd 59 85 c4 e3 ea 80  db ff 3c 58 ac d7 ef de  |..Y.......<X....|
00000390  98 92 9d cd e1 a6 47 a7  c6 f3 82 5a a4 0d 9e 17  |......G....Z....|
000003a0  a7 f1 4d 38 59 90 66 27  8f ad 66 fc 8b 61 78 f8  |..M8Y.f'..f..ax.|
000003b0  1a 9c 66 1e ca 13 e2 c9  82 98 ef 04 29 1a 56 92  |..f.........).V.|
000003c0  2d 02 e3 54 03 be af b0  c8 f8 81 ad 59 85 82 7c  |-..T........Y..||
000003d0  5d 33 a8 65 8f 5f 86 28  4c 6d 50 5f f4 c4 92 5e  |]3.e._.(LmP_...^|
000003e0  72 6d 84 89 45 37 ed ee  5c 9c 62 a6 ce 44 78 3f  |rm..E7..\.b..Dx?|
000003f0  9e 58 d4 9a ff 57 60 b6  27 1f ad 46 98 8c 96 83  |.X...W`.'..F....|
00000400

root #cryptsetup close --verbose to_be_wiped

Command successful.

Tip
(Optional) Check cryptsetup closes the device mapper successfully.

root #ls -l /dev/mapper

total 0
crw------- 1 root root 10, 236 Nov 19  2023 control

Note
If there are multiple drives will be using in the encrypted pool, repeat the steps above for each drive.

Format disk with LUKS2 (with detached header)

Gather disk information for creating the header.

root #ls -l /dev/disk/by-id/

total 0
...
...

root #

LUKS_DEV='/dev/sdb'

root #

LUKS_DATE='20220619'

root #

LUKS_LABEL="ADATA_SU650_2LXXXXXXXXK7_${LUKS_DATE}"

root #

echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'NAME TOO LONG'; fi)

ADATA_SU650_2LXXXXXXXXK7_20220619 ; Length=34 ; Max length=47 ; OK

Create a function, so the same encryption settings can be reused in different drives.

root #

cryptsetup_luksFormat() {
# --label max 47 chars	--subsystem max 47 chars	\

cryptsetup luksFormat   --verbose       --type luks2	\

--header=/tmp/efiboot/LUKS."$LUKS_LABEL".header	\
--label "$LUKS_LABEL"	--subsystem machizero		\
--use-random						\
--pbkdf argon2id	--pbkdf-force-iterations 19	--pbkdf-memory 4194304	--pbkdf-parallel 4	\
--hash blake2b-512					\
--cipher serpent-xts-plain64	--key-size 512		\

"$LUKS_DEV"
cryptsetup config --verbose --key-slot 0 --priority prefer /tmp/efiboot/LUKS."$LUKS_LABEL".header
}
cryptsetup_luksFormat
cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less

Gather the information for the other drive(s).

root #

LUKS_DEV='/dev/sda'

root #

LUKS_DATE='20220619'

root #

LUKS_LABEL="ADATA_SU650_2LXXXXXXXXC1_${LUKS_DATE}"

root #

echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'NAME TOO LONG'; fi)

ADATA_SU650_2LXXXXXXXXC1_20220619 ; Length=34 ; Max length=47 ; OK

Reuse the function to create the LUKS header(s).

root #

cryptsetup_luksFormat

root #

cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less

Note
As deteched header is used while cryptsetup luksFormat, no data will be altered in the drive(s).

Tip
(Optional) Check the LUKS header(s) are created.

root #

ls -l /tmp/efiboot

(Optiional) Cleanup the variables and function.

root #

unset LUKS_DEV LUKS_DATE LUKS_LABEL

root #

unset -f cryptsetup_luksFormat

(Optional) Add a fallback passphrase

In case the main passphrase is forgotten, the drive can be unlocked by this fallback passphrase. This will not be used on a daily basis, as we intentionally increase the iterations to make it taking longer time to unlock.

root #

LUKS_DATE='20220619'

root #

LUKS_LABEL="ADATA_SU650_2LXXXXXXXXK7_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)

root #

output=

root #

cryptsetup_luksAddKey() {
cryptsetup luksAddKey	--verbose	--type luks2		\

--pbkdf argon2id	--pbkdf-force-iterations 101	--pbkdf-memory 4194304	--pbkdf-parallel 4	\
--hash blake2b-512						\

/tmp/efiboot/LUKS."$LUKS_LABEL".header

The ignored priority means, that slot is never used, if not explicitly requested by --key-slot option.
cryptsetup config --verbose --key-slot 1 --priority ignore /tmp/efiboot/LUKS."$LUKS_LABEL".header
}

root #

cryptsetup_luksAddKey

root #

cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less

Again, repeat the procedure for different drive(s).

root #

LUKS_DATE='20220619'

root #

LUKS_LABEL="ADATA_SU650_2LXXXXXXXXC1_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)

root #

cryptsetup_luksAddKey

root #

cryptsetup luksDump --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less

Tip
(Optional) Check the LUKS header(s) are created.

root #

ls -l /tmp/efiboot

(Optiional) Cleanup the variables and function.

root #

unset LUKS_DEV LUKS_DATE LUKS_LABEL

root #

unset -f cryptsetup_luksFormat

(Optional) Add TRIM support presistent into header

If SSD used as the encrypted drive(s), allow the use of discard (TRIM) requests for the device.

The TRIM command enables an operating system to notify the SSD of pages which no longer contain valid data. For a file deletion operation, the operating system will mark the file's sectors as free for new data, then send a TRIM command to the SSD. After trimming, the SSD will not preserve any contents of the block when writing new data to a page of flash memory, resulting in less write amplification (fewer writes), higher write throughput (no need for a read-erase-modify sequence), thus increasing drive life.^[4].

Warning
This command can have a negative security impact because it can make filesystem-level operations visible on the physical device.

Note
man page of cryptsetup

 --persistent
	Used with luksOpen or refresh
	The specified activation flags (--allow-discards) are persistently written into metadata (--header) and used next time.

	If you need to remove a persistent flag,
	use --persistent without the flag you want to remove
	(e.g. to disable persistently stored discard flag, use --persistent without --allow-discards).

root #

LUKS_DATE='20220619'

root #

LUKS_LABEL="ADATA_SU650_2LXXXXXXXXK7_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)

root #

output=

root #

cryptsetup_luksOpen() {
cryptsetup luksOpen	--verbose	--readonly	\

--header /tmp/efiboot/LUKS."$LUKS_LABEL".header	\
--allow-discards --persistent				\

"$LUKS_DEV" LUKS."$LUKS_LABEL"
ls /dev/mapper/
cryptsetup luksClose --verbose --deferred   LUKS."$LUKS_LABEL"
}

root #

cryptsetup_luksOpen

root #

cryptsetup luksDump  --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less

Repeat the steps on other drives.

root #

LUKS_DATE='20220619'

root #

LUKS_LABEL="ADATA_SU650_2LXXXXXXXXC1_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)

root #

cryptsetup_luksOpen

root #

cryptsetup luksDump  --verbose /tmp/efiboot/LUKS."$LUKS_LABEL".header | less

Tip
(Optional) Check the LUKS header(s) are created.

root #

ls -l /tmp/efiboot

(Optiional) Cleanup the variables and function.

root #

unset LUKS_DEV LUKS_DATE LUKS_LABEL

root #

unset -f cryptsetup_luksOpen

Backup the LUKS header

If the LUKS header is damaged, the drive cannot be decrypted. It is wise to backup the header and store the backup in a secure place.

cryptsetup luksHeaderBackup essentially copies (won't overwrite if exist) the original header, then chmod u-w.

root #

LUKS_DATE='20220619'

root #

LUKS_LABEL="ADATA_SU650_2LXXXXXXXXK7_${LUKS_DATE}"

root #

output=

root #

cryptsetup luksHeaderBackup --verbose	/tmp/efiboot/LUKS."$LUKS_LABEL".header \
		--header-backup-file	/tmp/efiboot/LUKS."$LUKS_LABEL".header.bak"$LUKS_BAK_DATE"

root #

cryptsetup luksDump --verbose		/tmp/efiboot/LUKS."$LUKS_LABEL".header.bak"$LUKS_BAK_DATE" | less

root #

diff -s /tmp/efiboot/LUKS."$LUKS_LABEL".header*

root #

stat    /tmp/efiboot/LUKS."$LUKS_LABEL".header*

Do it for other drive(s)

root #

LUKS_DATE='20220619'

root #

LUKS_LABEL="ADATA_SU650_2LXXXXXXXXC1_${LUKS_DATE}"
echo "$LUKS_LABEL"' ; Length='$(wc -c <<< "$LUKS_LABEL") '; Max length=47 ; '$(if [ $(wc -c <<< "$LUKS_LABEL") -le 47 ]; then echo 'OK'; else echo 'LABEL TOO LONG'; fi)

root #

cryptsetup luksHeaderBackup --verbose	/tmp/efiboot/LUKS."$LUKS_LABEL".header \
		--header-backup-file	/tmp/efiboot/LUKS."$LUKS_LABEL".header.bak"$LUKS_BAK_DATE"

root #

cryptsetup luksDump --verbose		/tmp/efiboot/LUKS."$LUKS_LABEL".header.bak"$LUKS_BAK_DATE" | less

root #

diff -s /tmp/efiboot/LUKS."$LUKS_LABEL".header*

root #

stat    /tmp/efiboot/LUKS."$LUKS_LABEL".header*

Tip
(Optional) Check the LUKS header(s) are created.

root #

ls -l /tmp/efiboot

(Optiional) Cleanup the variables and function.

root #

unset LUKS_DEV LUKS_DATE LUKS_LABEL

root #

unset -f cryptsetup_luksOpen

root #

...

root #

...

TODO (LUKS on raw disks content)

ZFS mirror

TODO (ZFS mirror content)

Install Gentoo

TODO (Install Gentoo content)

User:Midnite/machizero/installation/wayland

User:Midnite/machizero/installation/kdeplasma

User:Midnite/machizero/installation/lxd

User:Midnite/machizero/installation/lamp

References

↑ ArchWiki, Data-at-rest encryption, Preparing the disk, Prevent disclosure of usage patterns on the encrypted drive
↑ Unix & Linux Stack Exchange, Pre-encryption wipe, why?, Free space patterns can be used to derive the type of filesystem you use.
↑ Cryptsetup FAQ item 2.19 How can I wipe a device with crypto-grade randomness?
↑ Wikipedia, Trim, Operation.

[1] ArchWiki, Data-at-rest encryption, Preparing the disk, Prevent disclosure of usage patterns on the encrypted drive

[2] Unix & Linux Stack Exchange, Pre-encryption wipe, why?, Free space patterns can be used to derive the type of filesystem you use.

[3] Cryptsetup FAQ item 2.19 How can I wipe a device with crypto-grade randomness?

[4] Wikipedia, Trim, Operation.

[1]

[2]

[3]

[4]