diff --git a/active/software_luks/luks.md b/active/software_luks/luks.md new file mode 100644 index 0000000..f7e6ccc --- /dev/null +++ b/active/software_luks/luks.md @@ -0,0 +1,91 @@ +# LUKS + +Disk Encryption + +## Encrypting a Drive + +You get 8 key slots total. + +```bash +# Remember to install if you need it +dnf install cryptsetup + +# Create an encryption key +mkdir /etc/luks-keys +chmod 700 /etc/luks-keys +dd if=/dev/urandom bs=128 count=1 of=/etc/luks-keys/data0.key + +# Create an encrypted partition +# -q means don't ask for confirmation +# -v means verbose +cryptsetup -q -v luksFormat /dev/nvme6n1p1 /etc/luks-keys/data0.key + +# Unlock +cryptsetup -q -v luksOpen --key-file /etc/luks-keys/data0.key /dev/nvme6n1p1 luks-$(cryptsetup luksUUID /dev/nvme6n1p1) + +# List keys +cryptsetup luksDump /dev/nvme6n1p1 + +# Remove a key from a slot +cryptsetup luksKillSlot /dev/nvme6n1p1 2 + +# Add a new key to a slot +cryptsetup luksAddKey /dev/nvme6n1p1 -S 5 +``` + +## TPM2 Decryption + +Mostly taken from here: + + +PCR reference for `--tpm2-pcrs` args + +```text +0: System firmware executable +2: Kernel +4: Bootloader +7: Secure boot state +8: Cmdline +9: Initrd +``` + +Basic commands: + +```bash +# Show tpm2 devices +systemd-cryptenroll --tpm2-device=list + +# Show crypto luks block devices +blkid -t TYPE=crypto_LUKS + +# Enroll the tpm2 device with systemd-cryptenroll +systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 /dev/nvme0n1p3 + +# Reenroll +systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7,8,9 +``` + +Note, you'll need to add `rd.luks.options=tpm2-device=auto` to your kernel parameters. + +## Batch Operations + +```bash +# Create encrypted drives in bulk +export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1" +for luks_drive in $LUKS_DRIVES; do + cryptsetup -q -v luksFormat /dev/${luks_drive} /etc/luks-keys/data0.key +done + +# Unlock encrypted drives in bulk +export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1" +for luks_drive in $LUKS_DRIVES; do + cryptsetup -q -v luksOpen --key-file /etc/luks-keys/data0.key /dev/${luks_drive} luks-$(cryptsetup luksUUID /dev/${luks_drive}) +done + +# Add new keys in bulk +export LUKS_DEVS="/dev/nvme4n1p1 /dev/nvme3n1p1 /dev/nvme0n1p1 /dev/nvme1n1p4 /dev/nvme2n1p1 /dev/nvme5n1p1" +for luks_dev in $LUKS_DEVS; do + echo Adding key to $luks_dev + cryptsetup luksAddKey $luks_dev -S 2 +done +``` \ No newline at end of file diff --git a/active/software_virsh/virsh.md b/active/software_virsh/virsh.md index 5ba7036..218c017 100644 --- a/active/software_virsh/virsh.md +++ b/active/software_virsh/virsh.md @@ -16,10 +16,12 @@ Virtual Machine Management - [Set a Static IP](#set-a-static-ip) - [Creating VMs](#creating-vms) - [Create VM with No Graphics and use an Existing QCOW2 Disk](#create-vm-with-no-graphics-and-use-an-existing-qcow2-disk) - - [Create a Cloud Init Compatible VM](#create-a-cloud-init-compatible-vm) + - [Create a Cloud Init Compatible VM](#create-a-cloud-init-compatible-vm) - [Create VM with Graphics using an ISO Installation Disk](#create-vm-with-graphics-using-an-iso-installation-disk) - [Create VM using Host Device as Disk](#create-vm-using-host-device-as-disk) + - [Create a Home Assistant VM](#create-a-home-assistant-vm) - [Snapshots](#snapshots) + - [Creating and Attaching Disks](#creating-and-attaching-disks) - [Virt Builder](#virt-builder) ## Before you Begin @@ -55,6 +57,12 @@ Virtual Machine Management export LIBVIRT_DEFAULT_URI='qemu+ssh://user@server/system' ``` +Or for Truenas + +```bash +export LIBVIRT_DEFAULT_URI='qemu+ssh://root@truenas/system?socket=/run/truenas_libvirt/libvirt-sock' +``` + ## Useful Virsh Commands ```bash @@ -234,7 +242,7 @@ virt-install \ --import --disk "path=${VM_DISK_PATH},bus=virtio" ``` -#### Create a Cloud Init Compatible VM +### Create a Cloud Init Compatible VM @@ -318,10 +326,93 @@ virt-install \ --disk none ``` +### Create a Home Assistant VM + +```bash +virt-install \ +--name haos \ +--description "Home Assistant OS" \ +--os-variant=generic \ +--ram=4096 \ +--vcpus=2 \ +--disk /var/lib/libvirt/images/haos_ova-16.3.qcow2,bus=scsi \ +--controller type=scsi,model=virtio-scsi \ +--import \ +--graphics none \ +--boot uefi +``` + ## Snapshots See [qemu qcow2 snapshots](/active/software_qemu/qemu.md#qcow2-snapshots) +## Creating and Attaching Disks + +To create and attach one disk: + +```bash +export VM_NAME="cloud-init-test-fedora" +export VM_DISK_NAME="test1" +qemu-img create -f qcow2 /var/lib/libvirt/images/${VM_DISK_NAME}.qcow2 1G + +virsh attach-disk ${VM_NAME} \ +--source /var/lib/libvirt/images/${VM_DISK_NAME} \ +--target vdb \ +--persistent +--live +``` + +To create and attach multiple disks (for raid testing) + +```bash +export VM_NAME="cloud-init-test-fedora" +# Max supported for this script is 25 +export VM_NUM_DISKS=8 +export VM_DISK_SIZE=4G + +##### Attach ##### +# Create the disks and target mounts from our array +letters=($(echo {a..z})) +for disk_num in $(seq 1 $VM_NUM_DISKS); do + VM_DISK_NAME="test-${disk_num}" + VM_DISK_TARGET=vd${letters[$disk_num]} + + echo "Creating /var/lib/libvirt/images/${VM_DISK_NAME}.qcow2" + sudo qemu-img create -f qcow2 /var/lib/libvirt/images/${VM_DISK_NAME}.qcow2 ${VM_DISK_SIZE} + + echo "Attaching vd${letters[$disk_num]} to ${VM_NAME}" + virsh attach-disk ${VM_NAME} \ + --source /var/lib/libvirt/images/${VM_DISK_NAME}.qcow2 \ + --target vd${letters[$disk_num]} \ + --persistent \ + --subdriver qcow2 \ + --live +done; + +##### Cleanup ##### +# Detach the disks from our VMs +letters=($(echo {a..z})) +for disk_num in $(seq 1 $VM_NUM_DISKS); do + VM_DISK_NAME="test-${disk_num}" + VM_DISK_TARGET=vd${letters[$disk_num]} + + echo "Detaching vd${letters[$disk_num]} from ${VM_NAME}" + virsh detach-disk ${VM_NAME} \ + --target vd${letters[$disk_num]} \ + --persistent +done; + +# Optionally delete images +letters=($(echo {a..z})) +for disk_num in $(seq 1 $VM_NUM_DISKS); do + VM_DISK_NAME="test-${disk_num}" + VM_DISK_TARGET=vd${letters[$disk_num]} + + echo "Removing /var/lib/libvirt/images/${VM_DISK_NAME}.qcow2" + sudo rm /var/lib/libvirt/images/${VM_DISK_NAME}.qcow2 +done; +``` + ## Virt Builder