christiansaga.de
Reinstall GRUB after BIOS update on LUKS encrypted system
Due to reasons unknown I upgraded my Lenovos BIOS via a USB Stick. :-) Everything went well, however after reboot, all my boot options for Linux Mint were gone. Turns out, somehow my boot setup was erased as well. Using UEFI without CSM and without secure boot with LUKS encrypted Linux Mint, this was already an issue when first installing. Getting everything right seems to be more of good luck.
This answer ist mainly for straight forward installations of Ubuntu/Mint with LVM on LUKS and unencrypted boot. If you have a different setup, make sure to adapt the different mounts.
Advice on using boot-repair utility: Don’t. The tool messes with a lot of configs unnecessarily. If you are not absolutely sure, what it does, don’t use it. As an example for myself: When using it to restore Grub, it edited my fstab and uncommented my root mapper and set it to noauto. Result: You end up after Grub in an initramfs prompt, as the volume has not been unlocked. Possibly wasting time by checking on why LVM times out, cryptsetup not working, etc.
So what is the solution
To get back your boot menu, I tried several things, e.g. boot-repair. However since my system is LUKS encrypted, I guess the tools all had some problems. To get back my system, I accessed my old system via chroot from a Linux Live CD. In this case Linux Mint Live CD.
First boot from Linux Live CD, get keyboard locale and network set up. Unlock your LUKS device. Make sure, that the name in the end (sda3_crypt
) is as specified in your original /etc/crypttab
(yes, if you do not know, you need to open the crypt device somewhere, take a look, close and reopen it). Otherwise you might get a warning later on.
If you have a different setup, make sure to take the correct device.
cryptsetup luksOpen /dev/sda3 sda3_crypt
For overall LUKS informations and commands, take a look here: https://wiki.ubuntuusers.de/LUKS/
Next mount all necessary partitions out of the old system
To find the LUKS drives, use sudo lvscan
For me my /root
turns out to be in /dev/mint-vg/root
If you have separated partitions, e.g. for home, or other devices, make sure to adapt parts below for mounting.
sudo mount /dev/mint-vg/root /mnt
sudo mount /dev/sda2 /mnt/boot
for i in /dev /dev/pts /proc /sys /run ; do sudo mount -B $i /mnt$i ; done
sudo mount -o bind /etc/resolv.conf /mnt/etc/resolv.conf
sudo mount /dev/sda1 /mnt/boot/efi/
Make sure you add the /mnt/boot/efi
, otherwise grub will complain grub-install: "cannot find EFI directory"
. It is not included in your boot partition, but a separate partition.
After that, enter the chroot environment with sudo chroot /mnt /bin/bash
To install GRUB run sudo grub-install /dev/sda
Now just a reboot is needed and the system should work as before.
Addendum
If you are here because something on boot is not working and you messed things up even further as I did, additionally update-initramfs -c -k all
could help.
OPENPGPKEY and DANE
As a long time PGP user I wanted to improve the key landscape and offer my public key via DANE. This is quite simple, if you have a DNS host, that supports DNSSEC and the different needed DANE types. (Note: I use core-networks.de)
The principle behind this: You publish your PGP key in your signed DNS and by that a correctly configured mail system could opt into sending you encrypted E-Mails even without having exchanged keys before.
I have tried to use the gpg2
function --print-dane-records
(available from 2.1.9 upwards), however could not generate a usable data part of the DNS record via this.
So what is the solution
As a prerequisite you need to have created your own PGP keys with the E-Mail you want to use as an User ID. Note: I am only doing a per E-Mail Setup. Use the following website: https://www.huque.com/bin/openpgpkey
Generate an OPENPGPKEY and the output pretty much does the trick. The generated output is sorted as follows:
-
Owner Name goes into the record. Be careful, if your DNS provider automatically adds the domain.If you used
--print-dane-records
you need to concatenate the ID of the key (before TYPE61) and string after $ORIGIN The syntax is<SHA256 hash of your e-mail name before the @>._openpgpkey.<your domain>
-
Out of Generated DNS OPENPGPKEY Record you take the part within the
()
into the data part of the record. Here you need to transform the key into one line string. If you used--print-dane-records
, I discarded the data part, as I could not get it to work. Simply use your key data exported with ASCII armor (-a
parameter) without the last line. Of course leaving headers and footers out as well. -
The type is OPENPGPKEY
-
Class is IN
-
TTL you can set on a decent value. For testing I used a hour.
To test the setup use
dig OPENPGPKEY <owner name goes here>
This will simply send back the data block and test the DNS setup. To test the DANE lookup do the following
gpg2 --auto-key-locate clear,dane,local -v --locate-key <your e-mail goes here>
This gives quite a good feedback on the setup and tells you if the key was fetched via DANE or not.
Full article view to comment or share...SendXMPP mail forward on Debian Jessie
To have a more comfortable way of receiving messages by my servers, I wanted all my root E-Mails to be forwarded to my mobile via XMPP. I only have a limited exim4 on my machine running, configured for local mail delivery only.
So what is the solution
First install sendxmpp with apt-get install sendxmpp
, then create the config file as /etc/sendxmpp.conf
and insert XMPP credentials:
<sender>@<sender_server>:<port> <password>
Set the right permissions chmod 600 /etc/sendxmpp.conf
and owner chown Debian-exim:Debian-exim /etc/sendxmpp.conf
Then create a script to call sendxmpp /usr/sbin/mail2xmpp
. It might be that you could put this completely into the alias, however I decided to use the script.
Exchange your receiving ID. -t
enables the TLS connection for sending the message.
#!/bin/bash
echo "$(cat)" | sendxmpp -t -f /etc/sendxmpp.conf <receiver>@<receiving_server>
Make the script executable chmod 755 /usr/sbin/mail2xmpp
and create the alias for the user, which E-Mails you want to forward in /etc/aliases
:
# /etc/aliases
root:,|/usr/local/bin/mail2xmpp
To activate pipe forwarding we have to create /etc/exim4/exim4.conf.localmacros
SoWhatIsTheSolution
SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
After that run newaliases
and service exim4 restart
for config to take effect.
Now you should be able to test if it works, by simply sending a local test E-Mail to user root
.
Unlock LUKS via SSH in Debian
As already described in my previous post Headless Debian install via SSH, I am dealing with a headless system. As I am encrypting my system and drives with LUKS, I need a way to enter the password in case of a reboot.
So what is the solution
First install Dropbear on the server by apt-get install dropbear
. Then configure initramfs network usage; edit /etc/initramfs-tools/initramfs.conf
. You probably have to add the lines for dropbear and update the device string.
This configuration is using DHCP to obtain an IP, if you have a static configuration, use: IP=<SERVER-IP>::<STANDARD-GATEWAY>:<SUBNETMASK>:<HOSTNAME>:eth0:off
#
# DROPBEAR: [ y | n ]
#
# Use dropbear if available.
#
DROPBEAR=y
DEVICE=eth0
IP=:::::eth0:dhcp
Next, delete the standard private and public keys on the server
rm /etc/initramfs-tools/root/.ssh/id_rsa
rm /etc/initramfs-tools/root/.ssh/id_rsa.pub
Then create your own key pair (we assume you use id_rsa as a name) on your client machine and upload it to the server.
ssh-keygen
scp ~/.ssh/id_rsa.pub myuser@debian_headless:id_rsa.pub
After that, log in to the server and add the key to authorized_key file an remove the public key on the server.
ssh myuser@debian_headless
sudo sh -c "cat id_rsa.pub >> /etc/initramfs-tools/root/.ssh/authorized_keys"
rm id_rsa.pub
Now we need to update initramfs and grub by update-initramfs -u -k all
and update-grub2
On some configurations the network won’t get reconfigured on runtime values, hence we need to trigger an update. Edit /etc/network/interfaces
and add as first line of the primary interface pre-up ip addr flush dev eth0
Restart server and log in from your client with ssh -i ~/.ssh/id_rsa root@<server-ip>
to set the password to unlock
echo -n "<LUKS encryption password>" > /lib/cryptsetup/passfifo
exit
EDIT: on newer systems a cryptroot-unlock
will suffice.
The server should now boot normally and regular SSH should come up.
Optional
You can also create a little script for the passphrase in /etc/initramfs-tools/hooks/unlock
#!/bin/bash
PREREQ=""
prereqs() {
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
cat > "${DESTDIR}/root/unlock" << EOF #!/bin/sh /lib/cryptsetup/askpass 'passphrase: ' > /lib/cryptsetup/passfifo
EOF
chmod u+x "${DESTDIR}/root/unlock"
exit 0
Do not forget to make it executable with chmod +x /etc/initramfs-tools/hooks/unlock
and update initramfs with update-initramfs -u -k all
and update-grub2
Headless Debian install via SSH
Having build my own NAS system recently, I realised I do not have any monitors or keyboards at home anymore. Hence installing Debian will be hard. I looked around and the solution would be a headless install via ssh.
This post is based on some work from S.G. Vulcan’s post Installing Debian using only SSH His post was a good start, but I only could make it work for a Debian Jessie netinstall image after some changes.
So what is the solution
Download the latest netinstall image from Debian, I used debian-8.3.0-amd64-netinst.iso
Mount the ISO to a folder
mkdir isoorig
sudo mount -o loop -t iso9660 debian-8.3.0-amd64-netinst.iso isoorig
Copy to new folder called isonew
mkdir isonew
rsync -a -H --exclude=TRANS.TBL isoorig/ isonew/
Change the menu to load SSH on boot by default, edit isonew/isolinux/txt.cfg
remove (if existing) menu default
from label install
and add:
label netinstall
menu label ^Install Over SSH
menu default
kernel /install.amd/vmlinuz
append auto=true vga=788 file=/cdrom/preseed.cfg initrd=/install.arm/initrd.gz locale=en_US console-keymaps-at/keymap=us
default netinstall
Create isonew/preseed.cfg
file. I adapted the locale and keyboard settings for Germany and added the selection of the keyboard-configuration. This would otherwise be an open question during the install and we won’t reach the SSH startup.
Also I added a check for non-free firmware, which popped up on one of my machines which had wireless.
#### Contents of the preconfiguration file
### Localization
# Locale sets language and country.
d-i debian-installer/locale select de_DE
# Keyboard selection.
d-i console-keymaps-at/keymap select de
d-i keyboard-configuration/xkb-keymap select de
### Network configuration
# netcfg will choose an interface that has link if possible. This makes it
# skip displaying a list if there is more than one interface.
d-i netcfg/choose_interface select auto
# Any hostname and domain names assigned from dhcp take precedence over
# values set here. However, setting the values still prevents the questions
# from being shown, even if values come from dhcp.
d-i netcfg/get_hostname string newdebian
d-i netcfg/get_domain string local
# If non-free firmware is needed for the network or other hardware, you can
# configure the installer to always try to load it, without prompting. Or
# change to false to disable asking.
d-i hw-detect/load_firmware boolean true
# The wacky dhcp hostname that some ISPs use as a password of sorts.
#d-i netcfg/dhcp_hostname string radish
d-i preseed/early_command string anna-install network-console
# Setup ssh password
d-i network-console/password password install
d-i network-console/password-again password install
Recreate the isonew/md5sum.txt
, it is read only, so you need to change this. Also I had better luck with creating the md5sum.txt
with the changed commands below.
chmod 666 md5sum.txt
find -follow -type f -exec md5sum {} \; > md5sum.txt
chmod 444 md5sum.txt
Create ISO file to burn with xorriso. If you do not have it installed use apt-get install xorriso
.
xorriso -as mkisofs -D -r -J -joliet-long -l -V "Debian headless" -b isolinux/isolinux.bin -c isolinux/boot.cat -iso-level 3 -no-emul-boot -partition_offset 16 -boot-load-size 4 -boot-info-table -isohybrid-mbr /usr/lib/syslinux/isohdpfx.bin -o ../debian-8.3.0-amd64-netinst-headless.iso ../isonew
xorriso is creating a correct partition table, which is for some reason not done with mkisofs only. The original command would work in VMs, maybe even on a cd-rom, however not for USB sticks.
The ISO can be burned to an USB stick and used to boot. It will automatically configure the network with DHCP (yes, you need to have a way to find the IP, e.g. on your router) and start SSH.
The user for the ssh connection is installer
the password is install
.