stafwag Blog

staf wagemakers blog

Install Arch on an Encrypted Btrfs Partition

"Arch Linux Logo"

I’m preparing to move my workstation to arch linux Before I’ll install it on my physical workstation I did the installation on a virtual machine. I’ll use btrfs as the filesystem during the installation. btrfs is a nice filesystem but it had some serious dataloss issue with RAID5/RAID6 recently.

btrfs might not stable enough for a production environment but it has some nice features like snapshots, send/recieve, compression etc. I use zfs for my important date anyway.

To encrypt or not to encrypt…

It’s possible to encrypt your boot partition grub has support for luks volumes. This cause grub to ask for a password during the system startup you’ll need to type in your password a second time during the system startup when you Linux initrd image is booted. It’s possible to avoid this by adding a keyfile to your crypttab - which migh be considered as a security risk -.

In this howto we’ll setup a single root partition to have full disk encryption. I’m not sure I go with an encrypted boot partition during my final installation. I might just create an empty partition of 1G so I can move switch between an encrypted and an non-encrypted boot filesystem.

"00_boot.png"

Download the arch linux iso and boot it

After arch linux is booted verify that you have internet access if the network card is support and dchp is enabled on you network you should get a network address.

Network access

To setup the system remotely we first need to setup network to our system.

Verify the interface

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@archiso ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:69:d4:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.23/24 brd 192.168.122.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a7b:481f:2f70:e688/64 scope link 
       valid_lft forever preferred_lft forever
root@archiso ~ # 

Verify internet access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@archiso ~ # ping -c 3 8.8.8.8                                                                                      :(
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=49.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=45.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=49 time=46.8 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 45.896/47.329/49.201/1.406 ms
root@archiso ~ # nslookup www.google.be
Server:         192.168.122.1
Address:        192.168.122.1#53

Non-authoritative answer:
Name:   www.google.be
Address: 64.233.167.94

root@archiso ~ # ping www.google.be
PING www.google.be (64.233.167.94) 56(84) bytes of data.
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=1 ttl=46 time=58.7 ms
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=2 ttl=46 time=58.7 ms
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=3 ttl=46 time=58.4 ms
^C
--- www.google.be ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 58.479/58.645/58.742/0.230 ms
root@archiso ~ #                   

ssh access

If you want to install arch linux over ssh you need to assign a root passwd and start the sshd service.

root password

1
2
3
4
5
root@archiso ~ # passwd root       
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@archiso ~ # 

start sshd

1
2
3
4
5
6
root@archiso ~ # systemctl list-unit-files -t service | grep ssh
sshd.service                               disabled
sshd@.service                              static  
sshdgenkeys.service                        static  
root@archiso ~ # systemctl start sshd                           
root@archiso ~ #

Logon remotely

1
2
3
4
[staf@vicky ~]$ ssh -l root 192.168.122.23
root@192.168.122.23's password: 
Last login: Tue Jun 30 09:06:00 2015 from 192.168.122.1
root@archiso ~ # 

Partition

Find your harddisk device name

1
2
3
4
5
6
7
root@archiso ~ # cat /proc/partitions
major minor  #blocks  name

   8        0  268435456 sda
  11        0     759808 sr0
   7        0     328616 loop0
root@archiso ~ # 

Overwrite it with random data

Because we are creating an ecrypted filesystem it’s a good idea to overwrite it with random data.

We’ll use badblocks for this another method is to use “dd if=/dev/random of=/dev/xxx” the “dd” method is probably the best method but is a lot slower.

1
2
3
4
5
6
7
8
root@archiso ~ # badblocks -c 10240 -s -w -t random -v /dev/sda
Checking for bad blocks in read-write mode
From block 0 to 268435455
Testing with random pattern: done                                                 
Reading and comparing: done                                                 
Pass completed, 0 bad blocks found. (0/0/0 errors)
badblocks -c 10240 -s -w -t random -v /dev/sda  49.22s user 21.72s system 3% cpu 33:48.40 total
root@archiso ~ # 

Partition the harddisk

Create 3 partitions:

  • 1G /boot (we’ll not use this during the installation - see above - )
  • 32G swap
  • root btrfs partition
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
root@archiso ~ # fdisk /dev/sda                                

Welcome to fdisk (util-linux 2.28).                                                    
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x7ff944e5.

Command (m for help): p
Disk /dev/sda: 256 GiB, 274877906944 bytes, 536870912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7ff944e5

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-536870911, default 2048): +1G
Value out of range.
First sector (2048-536870911, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-536870911, default 536870911): 
Do you really want to quit? y
1 root@archiso ~ # fdisk /dev/sda                                                   :(

Welcome to fdisk (util-linux 2.28).                                                    
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xa806e281.

Command (m for help): p
Disk /dev/sda: 256 GiB, 274877906944 bytes, 536870912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa806e281

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-536870911, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-536870911, default 536870911): +1G

Created a new partition 1 of type 'Linux' and of size 1 GiB.

Command (m for help): n
Partition type
   p   primary (1 primary, 0 extended, 3 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 
First sector (2099200-536870911, default 2099200): 
Last sector, +sectors or +size{K,M,G,T,P} (2099200-536870911, default 536870911): +32G

Created a new partition 2 of type 'Linux' and of size 32 GiB.

Command (m for help): n
Partition type
   p   primary (2 primary, 0 extended, 2 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (3,4, default 3): 
First sector (69208064-536870911, default 69208064): 
Last sector, +sectors or +size{K,M,G,T,P} (69208064-536870911, default 536870911): 

Created a new partition 3 of type 'Linux' and of size 223 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

root@archiso ~ # 

Format the root partition

We’ll continue with the root filesystem - we’ll initialize the swapspace after the installation -

Create the root luks volume;

1
2
3
4
5
6
7
8
9
10
11
root@archiso ~ # cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 --use-random /dev/sda3

WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
5.01s user 0.04s system 21% cpu 23.750 total
root@archiso ~ # 

Open the root luks volume

1
2
3
root@archiso ~ # cryptsetup luksOpen /dev/sda3 cryptroot
Enter passphrase for /dev/sda3: 
root@archiso ~ # 

Format the root volume with btrfs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@archiso ~ # mkfs.btrfs /dev/mapper/cryptroot
btrfs-progs v4.6.1
See http://btrfs.wiki.kernel.org for more information.

Label:              (null)
UUID:               cbfcc8d6-0cf9-4656-bcda-2525faeadfe6
Node size:          16384
Sector size:        4096
Filesystem size:    217.00GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         DUP               1.01GiB
  System:           DUP              12.00MiB
SSD detected:       no
Incompat features:  extref, skinny-metadata
Number of devices:  1
Devices:
   ID        SIZE  PATH
    1   217.00GiB  /dev/mapper/cryptroot

root@archiso ~ # 

Mount the root filesystem

1
2
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults /dev/mapper/cryptroot /mnt
root@archiso ~ # 

Create the subvolumes

1
2
3
4
5
6
7
8
9
10
11
12
root@archiso ~ # cd /mnt
root@archiso /mnt # btrfs subvolume create __active
Create subvolume './__active'
root@archiso /mnt # btrfs subvolume create __active/rootvol
Create subvolume '__active/rootvol'
root@archiso /mnt # btrfs subvolume create __active/home
Create subvolume '__active/home'
root@archiso /mnt # btrfs subvolume create __active/var
Create subvolume '__active/var'
root@archiso /mnt # btrfs subvolume create __snapshots
Create subvolume './__snapshots'
root@archiso /mnt #

Mount the subvolumes

1
2
3
4
5
6
7
8
root@archiso /mnt # cd 
root@archiso ~ # umount /mnt
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/rootvol /dev/mapper/cryptroot /mnt
root@archiso ~ # mkdir /mnt/{home,var}
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/home /dev/mapper/cryptroot /mnt/home
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/var /dev/mapper/cryptroot /mnt/var
root@archiso ~ # sync
root@archiso ~ # 

System installation

bootstrap the system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
root@archiso ~ # pacstrap /mnt base base-devel btrfs-progs
==> Creating install root at /mnt
==> Installing packages to /mnt
:: Synchronizing package databases...
 core                     119.9 KiB   652K/s 00:00 [######################] 100%
 extra                   1760.1 KiB   688K/s 00:03 [######################] 100%
 community                  3.6 MiB   906K/s 00:04 [######################] 100%
:: There are 50 members in group base:
:: Repository core
   1) bash  2) bzip2  3) coreutils  4) cryptsetup  5) device-mapper  6) dhcpcd
   7) diffutils  8) e2fsprogs  9) file  10) filesystem  11) findutils  12) gawk
   13) gcc-libs  14) gettext  15) glibc  16) grep  17) gzip  18) inetutils
   19) iproute2  20) iputils  21) jfsutils  22) less  23) licenses  24) linux
   25) logrotate  26) lvm2  27) man-db  28) man-pages  29) mdadm  30) nano
   31) netctl  32) pacman  33) pciutils  34) pcmciautils  35) perl
   36) procps-ng  37) psmisc  38) reiserfsprogs  39) s-nail  40) sed
   41) shadow  42) sysfsutils  43) systemd-sysvcompat  44) tar  45) texinfo
   46) usbutils  47) util-linux  48) vi  49) which  50) xfsprogs

Enter a selection (default=all): 
:: There are 25 members in group base-devel:
:: Repository core
   1) autoconf  2) automake  3) binutils  4) bison  5) fakeroot  6) file
   7) findutils  8) flex  9) gawk  10) gcc  11) gettext  12) grep  13) groff
   14) gzip  15) libtool  16) m4  17) make  18) pacman  19) patch
   20) pkg-config  21) sed  22) sudo  23) texinfo  24) util-linux  25) which

Enter a selection (default=all): 
warning: skipping target: file
warning: skipping target: findutils
warning: skipping target: gawk
warning: skipping target: gettext
warning: skipping target: grep
warning: skipping target: gzip
warning: skipping target: pacman
warning: skipping target: sed
warning: skipping target: texinfo
warning: skipping target: util-linux
warning: skipping target: which
resolving dependencies...
looking for conflicting packages...

Packages (144) acl-2.2.52-2  archlinux-keyring-20160812-1  attr-2.4.47-1
               ca-certificates-20160507-1  ca-certificates-cacert-20140824-3
               ca-certificates-mozilla-3.26-1  ca-certificates-utils-20160507-1
               cracklib-2.9.6-1  curl-7.50.1-1  db-5.3.28-3  dbus-1.10.8-1
               expat-2.2.0-2  gc-7.4.2-4  gdbm-1.12-2  glib2-2.48.1-1
<snip>
               procps-ng-3.3.12-1  psmisc-22.21-3  reiserfsprogs-3.6.25-1
               s-nail-14.8.10-1  sed-4.2.2-4  shadow-4.2.1-3  sudo-1.8.17.p1-1
               sysfsutils-2.1.0-9  systemd-sysvcompat-231-1  tar-1.29-1
               texinfo-6.1-4  usbutils-008-1  util-linux-2.28.1-1
               vi-1:070224-2  which-2.21-2  xfsprogs-4.7.0-1

Total Download Size:   231.85 MiB
Total Installed Size:  801.27 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 linux-api-headers-4...   810.7 KiB   891K/s 00:01 [######################] 100%
 tzdata-2016f-1-any       215.4 KiB   909K/s 00:00 [######################] 100%
 iana-etc-20160513-1-any  352.2 KiB   723K/s 00:00 [######################] 100%
 filesystem-2015.09-...     8.8 KiB   875K/s 00:00 [######################] 100%
 glibc-2.24-2-x86_64        8.1 MiB   918K/s 00:09 [######################] 100%
 gcc-libs-6.1.1-5-x86_64   14.9 MiB   899K/s 00:17 [######################] 100%
<snip>
(144/144) installing btrfs-progs                   [######################] 100%
:: Running post-transaction hooks...
(1/4) Updating manpage index...
mandb: can't set the locale; make sure $LC_* and $LANG are correct
(2/4) Updating the info directory file...
(3/4) Updating udev Hardware Database...
(4/4) Rebuilding certificate stores...
pacstrap /mnt base base-devel btrfs-progs  27.81s user 10.20s system 10% cpu 5:50.56 total
root@archiso ~ # 

Generate /etc/fstab

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@archiso ~ # genfstab -p /mnt >> /mnt/etc/fstab
root@archiso ~ # vi /mnt/etc/fstab
# 
# /etc/fstab: static file system information
#
# <file system> <dir>   <type>  <options>       <dump>  <pass>
# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /               btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=258,subvol=/__active/rootvol,subvol=__active/rootvol  0 0

# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /home           btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=259,subvol=/__active/home,subvol=__active/home        0 0

# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /var            btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=260,subvol=/__active/var,subvol=__active/var  0 0

chroot

1
2
root@archiso ~ # arch-chroot /mnt
[root@archiso /]# 

Set the timezone

Link for timezone to /etc/localtime

1
2
[root@archiso /]# ln -s /usr/share/zoneinfo/Europe/Brussels /etc/localtime
[root@archiso /]# 

Set the hardwareclock to UTC

1
hwclock --systohc --utc

Generate the required locales

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@archiso /]# vi /etc/locale.gen 
[root@archiso /]# locale-gen
Generating locales...
  en_IE.UTF-8... done
  en_IE.ISO-8859-1... done
  en_IE.ISO-8859-15@euro... done
  en_US.UTF-8... done
  en_US.ISO-8859-1... done
  nl_BE.UTF-8... done
  nl_BE.ISO-8859-1... done
  nl_BE.ISO-8859-15@euro... done
Generation complete.
[root@archiso /]# 

Hostname

1
2
[root@archiso /]# vi /etc/hostname
[root@archiso /]# 
1
[root@archiso /]# vi /etc/hosts

mkinitcpio

HOOKS

Add encrypt to HOOKS before filesystems in /etc/mkinitcpio.conf

1
[root@archiso /]# vi /etc/mkinitcpio.conf 
1
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"

Create boot image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
[root@archiso /]# mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.7.1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [encrypt]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 4.7.1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
==> WARNING: Possibly missing firmware for module: aic94xx
  -> Running build hook: [encrypt]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
[root@archiso /]#

set the root password

1
2
3
4
5
[root@archiso /]# passwd root
New password: 
Retype new password: 
passwd: password updated successfully
[root@archiso /]# 

GRUB

install Grub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[root@archiso /]# pacman -Sy grub
:: Synchronizing package databases...
 core is up to date
 extra                   1760.1 KiB   917K/s 00:02 [######################] 100%
 community                  3.6 MiB   896K/s 00:04 [######################] 100%
resolving dependencies...
looking for conflicting packages...

Packages (1) grub-1:2.02.beta3-3

Total Download Size:    5.83 MiB
Total Installed Size:  28.70 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 grub-1:2.02.beta3-3...     5.8 MiB   917K/s 00:07 [######################] 100%
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
:: Processing package changes...
(1/1) installing grub                              [######################] 100%
Generating grub.cfg.example config file...
This may fail on some machines running a custom kernel.
done.
Optional dependencies for grub
    freetype2: For grub-mkfont usage
    fuse: For grub-mount usage
    dosfstools: For grub-mkrescue FAT FS and EFI support
    efibootmgr: For grub-install EFI support
    libisoburn: Provides xorriso for generating grub rescue iso using
    grub-mkrescue
    os-prober: To detect other OSes when generating grub.cfg in BIOS systems
    mtools: For grub-mkrescue FAT FS support
:: Running post-transaction hooks...
(1/2) Updating manpage index...
(2/2) Updating the info directory file...
[root@archiso /]# 

Install grub to your boot disk

1
2
3
4
[root@archiso /]# grub-install --target=i386-pc /dev/sda
Installing for i386-pc platform.
grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.
[root@archiso /]# 

Enable cryptodisk

Because we use an encrypted boot disk we need to enable cryptdisk support.

Add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub

1
2
[root@archiso /]# vi /etc/default/grub
[root@archiso /]# 
1
2
3
4
5
6
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
GRUB_ENABLE_CRYPTODISK=y

And run grub-install again

1
2
3
4
[root@archiso /]# grub-install --target=i386-pc /dev/sda
Installing for i386-pc platform.
Installation finished. No error reported.
[root@archiso /]# 

Create grub.cfg

Add your encrypted root partition to GRUB_CMDLINE_LINUX= in /etc/default/grub

1
2
3
4
5
6
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""cryptdevice=/dev/sda3:cryptroot""
ENABLE_CRYPTODISK=y 

And generate grub.cfg

1
2
3
4
5
6
7
[root@archiso /]# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux
Found initrd image(s) in /boot: initramfs-linux.img
Found fallback initrd image(s) in /boot: initramfs-linux-fallback.img
done
[root@archiso /]# 

Reboot

1
2
3
4
5
6
7
[root@archiso /]# vi /boot/grub/grub.cfg
[root@archiso /]# sync
[root@archiso /]# reboot
Running in chroot, ignoring request.
[root@archiso /]# exit
arch-chroot /mnt  9.76s user 1.37s system 0% cpu 23:13.29 total
root@archiso ~ # reboot

Finish the installation

1st boot

As mentioned before the GRUB will as for a passphrase to decrypt the boot partition.

"01_1st_boot.png" "01_1st_boot.png"

You’ll need to type it the password a secod time during the loading of initrd.

"01_1st_boot.png"

Setup swap space

Update /etc/crypttab

1
2
swap         /dev/sda2                                    /dev/urandom            swap,
cipher=aes-cbc-essiv:sha256,size=256

reboot the system to verify that the encrypted swap partition is mapper correctly during the system startup

1
2
3
4
5
6
[root@vicky ~]# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Aug 29 15:43 control
lrwxrwxrwx 1 root root       7 Aug 29 15:43 cryptroot -> ../dm-0
lrwxrwxrwx 1 root root       7 Aug 29 15:43 swap -> ../dm-1
[root@vicky ~]# 

Create swap

1
2
3
4
[root@vicky ~]# mkswap /dev/mapper/swap 
Setting up swapspace version 1, size = 32 GiB (34359734272 bytes)
no label, UUID=66ea5a08-0833-4e84-8b95-f1a9c2d772b2
[root@vicky ~]# 

Activate swap

1
2
3
4
5
6
[root@vicky ~]# swapon /dev/mapper/swap
[root@vicky ~]# free
              total        used        free      shared  buff/cache   available
Mem:        4051236       85932     3890708         440       74596     3807084
Swap:      33554428           0    33554428
[root@vicky ~]# 

Update /etc/fstab

1
/dev/mapper/swap swap                    swap    defaults,discard,pri=3        0 0 

Have fun

Links

Thunderbird: Importing S/mime Certificate Failed

"thunderbird smime failed"

On http://kb.mozillazine.org/Getting_an_SMIME_certificate you get a list of free s/mime certificate.

I ordered a free 30 days certificate at globalsign: https://www.globalsign.com/en/personalsign/trial/

The import of the pkcs12 failed in Thunderbird with the message: “The PKCS #12 operation failed for unknown reasons.”

Searching the internet didn’t provide a solution. To debug this issue I started to extract the private / certificate from the pkcs12 file provided by globalsign and creating a new one.

To execute this command I use an encrypted luks volume.

Create a new pkcs12 file

verifying the pkx file

password too long?

The first issue was that the password of my pkx was too long by default the openssl pkcs12 command seems to have a limit of 32 characters.

1
2
3
4
[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx 
Enter Import Password:
Can't read Password
[staf@vicky staf@wagemakers.be]$ 

Use the “-passin pass”, “-passin stdin” or “-passin file” argument resolves this issue. The “-passin pass” argument will show the password on the screen and in shell history, the “-passin stdin” will show your password on the screen, the “-passin file” will leave your password on the (hopefully encrypted) filesystem so I went with the “-pass file” option.

Created password file

Create the file that holds your password with the corrected file permissions, you must be the only one that is able to read this file:

1
2
3
[staf@vicky staf@wagemakers.be]$ touch pass
[staf@vicky staf@wagemakers.be]$ chmod 600 pass
[staf@vicky staf@wagemakers.be]$ vi pass

Try again

With the “-passin file” argument we are able to the pkcs12 file.

1
2
3
4
5
6
7
8
9
10
11
12
[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx -passin file:pass
MAC verified OK
Bag Attributes
    localKeyID: 9B B7 F3 7A 96 46 1F 08 28 A2 BC 2B 87 0E 53 92 29 B4 7D 7D 
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Bag Attributes
    localKeyID: 9B B7 F3 7A 96 46 1F 08 28 A2 BC 2B 87 0E 53 92 29 B4 7D 7D 
subject=/CN=staf@wagemakers.be/emailAddress=staf@wagemakers.be
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
<snip>

Extract

We’ll extract the private key and the certificates and build a new pkcs12 file and import this pkcs12 file into thunderbird.

Extract the private key

The private key is encrypted with the “bag” so need to type it or copy/pass it…

1
2
3
4
[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx -nocerts -out key.pem -passin file:pass 
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Extract the client certificate

The client certificate isn’t encrypted so you can leave the pem password empty.

1
2
3
4
5
[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx -clcerts -out staf.pem -passin file:pass 
MAC verified OK

Enter PEM pass phrase:
[staf@vicky staf@wagemakers.be]$ 

Verify the key and certificate

To verify that the certificate and the private belongs together we need to verify the modulus of the key and the certificate the sha1sum should match.

1
2
3
4
staf@vicky staf@wagemakers.be]$ openssl rsa -in key.pem -modulus -noout | sha1sum
Enter pass phrase for key.pem:
1234567890123456789012345678901234567890  -
[staf@vicky staf@wagemakers.be]$ 
1
2
3
[staf@vicky staf@wagemakers.be]$ openssl x509 -in staf.pem -modulus -noout | sha1sum
1234567890123456789012345678901234567890  -
[staf@vicky staf@wagemakers.be]$ 

Extract the signing certificate(s)

The following command extracts the ca certificates.

1
2
3
[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -in staf.pkx -cacerts -out cacerts.pem -passin file:pass
MAC verified OK
Enter PEM pass phrase:

Create a new pkcs12 file

This time we use a 32 characters password.

1
2
3
4
[staf@vicky staf@wagemakers.be]$ openssl pkcs12 -export -in staf.pem -inkey key.pem -certfile cacerts.pem -out staf_new.p12
Enter pass phrase for key.pem:
Enter Export Password:
Verifying - Enter Export Password:

Import the the new pkcs12 file

"thunderbird smime import ok" Not sure what the issue was with original pkcs12 but the import works now…. - it might have been the 32 characters password -. After I was able to use the signing and encryption part in thunderbird.

Have fun

Happy New Year 2016

Happy new year!

"2014.jpg"

Lookat 1.4.4 Released

Lookat 1.4.4 is the latest stable release of Lookat/Bekijk the userfriendly file browser/viewer.

ChangeLog

  • NetBSD support
  • OpenBSD support
  • English translation issues corrected
  • autoconf updated to 2.69
  • Corrected minor compile warnings

Lookat 1.4.4 is available at:

http://www.wagemakers.be/english/programs/lookat , download it directly Download latest stable release (1.4.4).

Or at the Git repository at GNU savannah http://git.savannah.gnu.org/cgit/lookat.git/

Have fun

Running Docker on ARM

"odroid u3 2 euro"

I own an odroid u3 that I used for my media center with xbmc while I like the performance of the Exynos4412 CPU but the drivers for the Mali GPU aren’t opensource.

I like ARM but unfortunatelly a lot of the ARM soc’s have no opensource drivers for the GPU

The manufacturer of the odroid u3 - hardkernel - provides ubuntu 14.04 images with xbmc and mali support. It isn’t possible to get the newer of version of xbmc - now kodi - running, or I didn’t succeed withit. I’ll look for another solution for my media server needs this might be my raspberry pi 1 model B+ that is laying around doing nothing running openelec

"odroid u3 with usb disk"

Like I said I like the performance of the ordoid U3 that why I installed archLinuxArm to play with Docker. I could have sticked with Ubuntu 14.04 but with Arch Linux I get more up-to-date software.

The installion was pretty straightforward even the docker installation was the same as on a x86 platform.

Since we are using docker on arm we have to build our own docker base images instead of using the docker registery. I have security concerns about installtion and using unsigned non-verified software anyway. If you build your own image it possible to audit/verify the build process.

Creating your own docker base images

Arch

To build a Arch Base Image download mkimage-arch.sh and mkimage-arch-pacman.conf from the Docker source https://github.com/docker/docker/blob/master/contrib/

Download mkimage-arch.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
staf@fanny arch]$ wget https://raw.githubusercontent.com/docker/docker/master/contrib/mkimage-arch.sh
--2015-12-26 10:21:10--  https://raw.githubusercontent.com/docker/docker/master/contrib/mkimage-arch.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.43.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.43.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2351 (2.3K) [text/plain]
Saving to: 'mkimage-arch.sh'

mkimage-arch.sh                     100%[=====================================================================>]   2.30K  --.-KB/s   in 0s     

2015-12-26 10:21:10 (144 MB/s) - 'mkimage-arch.sh' saved [2351/2351]

[staf@fanny arch]$ chmod +x mkimage-arch.sh 
[staf@fanny arch]$ 

Increase the timeout

1
2
[staf@fanny arch]$ sed -i 's/timeout 60/timeout 120/' mkimage-arch.sh
[staf@fanny arch]$ 

Copy pacman.conf

1
2
[staf@fanny arch]$ cp /etc/pacman.conf mkimage-arch-pacman.conf
[staf@fanny arch]$ 

Install the arch keyring

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[staf@fanny debian]$ sudo pacman -Ss keyring                                                                                                                                                                                                                                                                                                                                                                                             
core/archlinux-keyring 20151206-1                                                                                                                                                                                                                                                                                                                                                                                                        
    Arch Linux PGP keyring                                                                                                                                                                                                                                                                                                                                                                                                               
core/archlinuxarm-keyring 20140119-1                                                                                                                                                                                                                                                                                                                                                                                                     
    Arch Linux ARM PGP keyring                                                                                                                                                                                                                                                                                                                                                                                                           
extra/gnome-keyring 1:3.18.3-1 (gnome)                                                                                                                                                                                                                                                                                                                                                                                                   
    GNOME Password Management daemon                                                                                                                                                                                                                                                                                                                                                                                                     
extra/gnome-keyring-sharp 1.0.2-5                                                                                                                                                                                                                                                                                                                                                                                                        
    A fully managed implementation of libgnome-keyring                                                                                                                                                                                                                                                                                                                                                                                   
extra/libgnome-keyring 3.12.0-2                                                                                                                                                                                                                                                                                                                                                                                                          
    GNOME keyring client library                                                                                                                                                                                                                                                                                                                                                                                                         
extra/python2-gnomekeyring 2.32.0-15                                                                                                                                                                                                                                                                                                                                                                                                     
    Python bindings for libgnome-keyring                                                                                                                                                                                                                                                                                                                                                                                                 
community/python-keyring 5.7.1-1                                                                                                                                                                                                                                                                                                                                                                                                         
    Store and access your passwords safely.                                                                                                                                                                                                                                                                                                                                                                                              
community/python2-keyring 5.7.1-1                                                                                                                                                                                                                                                                                                                                                                                                        
    Store and access your passwords safely.                                                                                                                                                                                                                                                                                                                                                                                              
[staf@fanny debian]$ sudo pacman -S archlinuxarm-keyring                                                                                                                                                                                                                                                                                                                                                                                 
resolving dependencies...                                                                                                                                                                                                                                                                                                                                                                                                                
looking for conflicting packages...                                                                                                                                                                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                                                                                                                                         
Packages (1) archlinuxarm-keyring-20140119-1                                                                                                                                                                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                                                                                                                                                                                         
Total Download Size:   0.01 MiB                                                                                                                                                                                                                                                                                                                                                                                                          
Total Installed Size:  0.03 MiB                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                                                                                                                                                                                         
:: Proceed with installation? [Y/n] y                                                                                                                                                                                                                                                                                                                                                                                                    
:: Retrieving packages ...                                                                                                                                                                                                                                                                                                                                                                                                               
 archlinuxarm-keyring-20140119-1-any                                                                                                                                                                                                    12.2 KiB  1218K/s 00:00 [##################################################################################################################################################################] 100%
(1/1) checking keys in keyring                                                                                                                                                                                                                                  [##################################################################################################################################################################] 100%
(1/1) checking package integrity                                                                                                                                                                                                                                [##################################################################################################################################################################] 100%
(1/1) loading package files                                                                                                                                                                                                                                     [##################################################################################################################################################################] 100%
(1/1) checking for file conflicts                                                                                                                                                                                                                               [##################################################################################################################################################################] 100%
(1/1) checking available disk space                                                                                                                                                                                                                             [##################################################################################################################################################################] 100%
(1/1) installing archlinuxarm-keyring                                                                                                                                                                                                                           [##################################################################################################################################################################] 100%
[staf@fanny debian]$ sudo pacman -S archlinux-keyring                                                                                                                                                                                                                                                                                                                                                                                    
resolving dependencies...                                                                                                                                                                                                                                                                                                                                                                                                                
looking for conflicting packages...                                                                                                                                                                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                                                                                                                                         
Packages (1) archlinux-keyring-20151206-1                                                                                                                                                                                                                                                                                                                                                                                                
                                                                                                                                                                                                                                                                                                                                                                                                                                         
Total Download Size:   0.49 MiB                                                                                                                                                                                                                                                                                                                                                                                                          
Total Installed Size:  0.70 MiB                                                                                                                                                                                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                                                                                                                                                                                         
:: Proceed with installation? [Y/n] y                                                                                                                                                                                                                                                                                                                                                                                                    
:: Retrieving packages ...                                                                                                                                                                                                                                                                                                                                                                                                               
 archlinux-keyring-20151206-1-any                                                                                                                                                                                                      505.5 KiB   231K/s 00:02 [##################################################################################################################################################################] 100%
(1/1) checking keys in keyring                                                                                                                                                                                                                                  [##################################################################################################################################################################] 100%
(1/1) checking package integrity                                                                                                                                                                                                                                [##################################################################################################################################################################] 100%
(1/1) loading package files                                                                                                                                                                                                                                     [##################################################################################################################################################################] 100%
(1/1) checking for file conflicts                                                                                                                                                                                                                               [##################################################################################################################################################################] 100%
(1/1) checking available disk space                                                                                                                                                                                                                             [##################################################################################################################################################################] 100%
(1/1) installing archlinux-keyring                                                                                                                                                                                                                              [##################################################################################################################################################################] 100%
[staf@fanny debian]$                                                                                                                                                                                                                                                                                                                                                                                                                     

Create the base Arch Image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
[staf@fanny arch]$ sudo LC_ALL=C TMPDIR=`pwd`/tmp ./mkimage-arch.sh
spawn pacstrap -C ./mkimage-arch-pacman.conf -c -d -G -i /home/staf/docker/docker/base-images/arch/tmp/rootfs-archlinux-eYGavMPZLd base haveged --ignore cryptsetup,device-mapper,dhcpcd,iproute2,jfsutils,linux,lvm2,man-db,man-pages,mdadm,nano,netctl,openresolv,pciutils,pcmciautils,reiserfsprogs,s-nail,systemd-sysvcompat,usbutils,vi,xfsprogs
==> Creating install root at /home/staf/docker/docker/base-images/arch/tmp/rootfs-archlinux-eYGavMPZLd
==> Installing packages to /home/staf/docker/docker/base-images/arch/tmp/rootfs-archlinux-eYGavMPZLd
:: Synchronizing package databases...
 core                                                         210.4 KiB   288K/s 00:01 [##################################################] 100%
 extra                                                          2.3 MiB   409K/s 00:06 [##################################################] 100%
 community                                                      3.2 MiB   314K/s 00:10 [##################################################] 100%
 alarm                                                        105.4 KiB  77.8K/s 00:01 [##################################################] 100%
 aur                                                           31.2 KiB   164K/s 00:00 [##################################################] 100%
:: cryptsetup is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: device-mapper is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: dhcpcd is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: iproute2 is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: jfsutils is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: lvm2 is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: man-db is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: man-pages is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: mdadm is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: nano is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: netctl is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: pciutils is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: reiserfsprogs is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: s-nail is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: systemd-sysvcompat is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: usbutils is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: vi is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: xfsprogs is in IgnorePkg/IgnoreGroup. Install anyway? [Y/n] n
:: There are 31 members in group base:
:: Repository core
   1) bash  2) bzip2  3) coreutils  4) diffutils  5) e2fsprogs  6) file  7) filesystem  8) findutils  9) gawk  10) gcc-libs  11) gettext
   12) glibc  13) grep  14) gzip  15) inetutils  16) iputils  17) less  18) licenses  19) logrotate  20) pacman  21) pacman-mirrorlist
   22) perl  23) procps-ng  24) psmisc  25) sed  26) shadow  27) sysfsutils  28) tar  29) texinfo  30) util-linux  31) which

Enter a selection (default=all): 
resolving dependencies...
looking for conflicting packages...

Packages (86) acl-2.2.52-2  attr-2.4.47-1  ca-certificates-20150402-1  ca-certificates-cacert-20140824-2  ca-certificates-mozilla-3.20.1-1
              ca-certificates-utils-20150402-1  cracklib-2.9.4-1  curl-7.46.0-1  db-5.3.28-3  expat-2.1.0-4  gdbm-1.11-1  glib2-2.46.2-2
              gmp-6.1.0-2  gnupg-2.1.10-3  gnutls-3.4.7-2  gpgme-1.6.0-2  iana-etc-20151016-1  keyutils-1.5.9-1  krb5-1.13.2-1
              libarchive-3.1.2-8  libassuan-2.4.2-1  libcap-2.24-2  libffi-3.2.1-1  libgcrypt-1.6.4-1  libgpg-error-1.21-1  libidn-1.32-1
              libksba-1.3.3-1  libldap-2.4.42-2  libsasl-2.1.26-7  libssh2-1.6.0-1  libsystemd-228-3  libtasn1-4.7-1  libtirpc-1.0.1-2
              libunistring-0.9.6-1  libutil-linux-2.27.1-1  linux-api-headers-4.1.4-1  lz4-131-1  lzo-2.09-1  mpfr-3.1.3.p4-1  ncurses-6.0-4
              nettle-3.1.1-1  npth-1.2-1  openssl-1.0.2.e-1  p11-kit-0.23.1-3  pam-1.2.1-3  pambase-20130928-1  pcre-8.38-2  pinentry-0.9.7-1
              popt-1.16-7  readline-6.3.008-3  sqlite-3.9.2-1  tzdata-2015g-1  xz-5.2.2-1  zlib-1.2.8-4  bash-4.3.042-4  bzip2-1.0.6-5
              coreutils-8.24-1  diffutils-3.3-2  e2fsprogs-1.42.13-1  file-5.25-1  filesystem-2015.09-1  findutils-4.4.2-6  gawk-4.1.3-1
              gcc-libs-5.3.0-3  gettext-0.19.6-2  glibc-2.22-3  grep-2.22-1  gzip-1.6-1  haveged-1.9.1-2  inetutils-1.9.4-2.1
              iputils-20140519.fad11dc-1  less-481-2  licenses-20140629-1  logrotate-3.9.1-1  pacman-4.2.1-4  pacman-mirrorlist-20151217-1
              perl-5.22.1-1  procps-ng-3.3.11-2  psmisc-22.21-3  sed-4.2.2-3  shadow-4.2.1-3  sysfsutils-2.1.0-9  tar-1.28-1  texinfo-6.0-1
              util-linux-2.27.1-1  which-2.21-1

Total Installed Size:  272.82 MiB

:: Proceed with installation? [Y/n] y
(86/86) checking keys in keyring                                                       [##################################################] 100%
(86/86) checking package integrity                                                     [##################################################] 100%
(86/86) loading package files                                                          [##################################################] 100%
(86/86) checking for file conflicts                                                    [##################################################] 100%
(86/86) checking available disk space                                                  [##################################################] 100%
( 1/86) installing linux-api-headers                                                   [##################################################] 100%
( 2/86) installing tzdata                                                              [##################################################] 100%
( 3/86) installing iana-etc                                                            [##################################################] 100%
( 4/86) installing filesystem                                                          [##################################################] 100%
( 5/86) installing glibc                                                               [##################################################] 100%
( 6/86) installing gcc-libs                                                            [##################################################] 100%
( 7/86) installing ncurses                                                             [##################################################] 100%
( 8/86) installing readline                                                            [##################################################] 100%
( 9/86) installing bash                                                                [##################################################] 100%
Optional dependencies for bash
    bash-completion: for tab completion
(10/86) installing bzip2                                                               [##################################################] 100%
(11/86) installing attr                                                                [##################################################] 100%
(12/86) installing acl                                                                 [##################################################] 100%
(13/86) installing gmp                                                                 [##################################################] 100%
(14/86) installing libcap                                                              [##################################################] 100%
(15/86) installing zlib                                                                [##################################################] 100%
(16/86) installing gdbm                                                                [##################################################] 100%
(17/86) installing db                                                                  [##################################################] 100%
(18/86) installing perl                                                                [##################################################] 100%
(19/86) installing openssl                                                             [##################################################] 100%
Optional dependencies for openssl
    ca-certificates [pending]
(20/86) installing coreutils                                                           [##################################################] 100%
(21/86) installing diffutils                                                           [##################################################] 100%
(22/86) installing libutil-linux                                                       [##################################################] 100%
(23/86) installing e2fsprogs                                                           [##################################################] 100%
(24/86) installing file                                                                [##################################################] 100%
(25/86) installing findutils                                                           [##################################################] 100%
(26/86) installing mpfr                                                                [##################################################] 100%
(27/86) installing gawk                                                                [##################################################] 100%
(28/86) installing pcre                                                                [##################################################] 100%
(29/86) installing libffi                                                              [##################################################] 100%
(30/86) installing glib2                                                               [##################################################] 100%
Optional dependencies for glib2
    python2: for gdbus-codegen and gtester-report
    libelf: gresource inspection tool
(31/86) installing libunistring                                                        [##################################################] 100%
(32/86) installing gettext                                                             [##################################################] 100%
Optional dependencies for gettext
    git: for autopoint infrastructure updates
(33/86) installing grep                                                                [##################################################] 100%
(34/86) installing less                                                                [##################################################] 100%
(35/86) installing gzip                                                                [##################################################] 100%
(36/86) installing cracklib                                                            [##################################################] 100%
(37/86) installing libsasl                                                             [##################################################] 100%
(38/86) installing libldap                                                             [##################################################] 100%
(39/86) installing keyutils                                                            [##################################################] 100%
(40/86) installing krb5                                                                [##################################################] 100%
(41/86) installing libtirpc                                                            [##################################################] 100%
(42/86) installing pambase                                                             [##################################################] 100%
(43/86) installing pam                                                                 [##################################################] 100%
(44/86) installing inetutils                                                           [##################################################] 100%
(45/86) installing sysfsutils                                                          [##################################################] 100%
(46/86) installing iputils                                                             [##################################################] 100%
Optional dependencies for iputils
    xinetd: for tftpd
(47/86) installing licenses                                                            [##################################################] 100%
(48/86) installing popt                                                                [##################################################] 100%
(49/86) installing logrotate                                                           [##################################################] 100%
(50/86) installing expat                                                               [##################################################] 100%
(51/86) installing lzo                                                                 [##################################################] 100%
(52/86) installing xz                                                                  [##################################################] 100%
(53/86) installing libarchive                                                          [##################################################] 100%
(54/86) installing texinfo                                                             [##################################################] 100%
(55/86) installing libtasn1                                                            [##################################################] 100%
(56/86) installing p11-kit                                                             [##################################################] 100%
(57/86) installing ca-certificates-utils                                               [##################################################] 100%
(58/86) installing ca-certificates-mozilla                                             [##################################################] 100%
(59/86) installing ca-certificates-cacert                                              [##################################################] 100%
(60/86) installing ca-certificates                                                     [##################################################] 100%
(61/86) installing libidn                                                              [##################################################] 100%
(62/86) installing libssh2                                                             [##################################################] 100%
(63/86) installing curl                                                                [##################################################] 100%
(64/86) installing libgpg-error                                                        [##################################################] 100%
(65/86) installing npth                                                                [##################################################] 100%
(66/86) installing libgcrypt                                                           [##################################################] 100%
(67/86) installing libksba                                                             [##################################################] 100%
(68/86) installing libassuan                                                           [##################################################] 100%
(69/86) installing pinentry                                                            [##################################################] 100%
Optional dependencies for pinentry
    gtk2: gtk2 backend
    qt5-base: qt backend
    gcr: gnome3 backend
(70/86) installing nettle                                                              [##################################################] 100%
(71/86) installing gnutls                                                              [##################################################] 100%
Optional dependencies for gnutls
    guile: for use with Guile bindings
(72/86) installing sqlite                                                              [##################################################] 100%
(73/86) installing gnupg                                                               [##################################################] 100%
Optional dependencies for gnupg
    libldap: gpg2keys_ldap [installed]
    libusb-compat: scdaemon
(74/86) installing gpgme                                                               [##################################################] 100%
(75/86) installing pacman-mirrorlist                                                   [##################################################] 100%
(76/86) installing pacman                                                              [##################################################] 100%
Optional dependencies for pacman
    fakeroot: for makepkg usage as normal user
(77/86) installing lz4                                                                 [##################################################] 100%
(78/86) installing libsystemd                                                          [##################################################] 100%
(79/86) installing procps-ng                                                           [##################################################] 100%
(80/86) installing psmisc                                                              [##################################################] 100%
(81/86) installing sed                                                                 [##################################################] 100%
(82/86) installing shadow                                                              [##################################################] 100%
(83/86) installing tar                                                                 [##################################################] 100%
(84/86) installing util-linux                                                          [##################################################] 100%
Optional dependencies for util-linux
    python: python bindings to libmount
(85/86) installing which                                                               [##################################################] 100%
(86/86) installing haveged                                                             [##################################################] 100%
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
gpg: Generating pacman keyring master key...
gpg: key 4C4DCB68 marked as ultimately trusted
gpg: directory '/etc/pacman.d/gnupg/openpgp-revocs.d' created
gpg: Done
==> Updating trust database...
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
checking dependencies...

Packages (1) haveged-1.9.1-2

Total Removed Size:  0.18 MiB

:: Do you want to remove these packages? [Y/n] 
(1/1) removing haveged                                                                 [##################################################] 100%
==> ERROR: The keyring file /usr/share/pacman/keyrings/archlinux.gpg does not exist.
Generating locales...
  en_US.UTF-8... done
Generation complete.
tar: ./etc/pacman.d/gnupg/S.gpg-agent: socket ignored
5de54cc959c36d2064ee4389c0cc50acdb2246b3eac4edeb5e83cac7f4d9b350
Success.
[staf@fanny arch]$

Try it

1
2
[staf@fanny arch]$ docker run -t -i --rm archlinux /bin/bash
[root@6c24a79778f9 /]# 

Debian

To create a debian base images you need debootstrap. There is a aur available.

Install yaort

Yaourt is a nice tool to install aur ports.

Install the base development tools
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
[staf@fanny ~]$ sudo pacman -Sy base-devel
:: Synchronizing package databases...
 core                                                                      210.4 KiB   198K/s 00:01 [##########################################################] 100%
 extra                                                                       2.3 MiB   385K/s 00:06 [##########################################################] 100%
 community                                                                   3.2 MiB   208K/s 00:16 [##########################################################] 100%
 alarm                                                                     105.4 KiB   335K/s 00:00 [##########################################################] 100%
 aur                                                                        31.2 KiB  49.1K/s 00:01 [##########################################################] 100%
:: There are 25 members in group base-devel:
:: Repository core
   1) autoconf  2) automake  3) binutils  4) bison  5) fakeroot  6) file  7) findutils  8) flex  9) gawk  10) gcc  11) gettext  12) grep  13) groff  14) gzip
   15) libtool  16) m4  17) make  18) pacman  19) patch  20) pkg-config  21) sed  22) sudo  23) texinfo  24) util-linux  25) which

Enter a selection (default=all): 
warning: autoconf-2.69-2 is up to date -- reinstalling
warning: automake-1.15-1 is up to date -- reinstalling
warning: binutils-2.25.1-3 is up to date -- reinstalling
warning: bison-3.0.4-1 is up to date -- reinstalling
warning: fakeroot-1.20.2-1 is up to date -- reinstalling
warning: file-5.25-1 is up to date -- reinstalling
warning: findutils-4.4.2-6 is up to date -- reinstalling
warning: flex-2.6.0-1 is up to date -- reinstalling
warning: gawk-4.1.3-1 is up to date -- reinstalling
warning: gcc-5.3.0-3 is up to date -- reinstalling
warning: gettext-0.19.6-2 is up to date -- reinstalling
warning: grep-2.22-1 is up to date -- reinstalling
warning: groff-1.22.3-5 is up to date -- reinstalling
warning: gzip-1.6-1 is up to date -- reinstalling
warning: libtool-2.4.6-4 is up to date -- reinstalling
warning: m4-1.4.17-1 is up to date -- reinstalling
warning: make-4.1-1 is up to date -- reinstalling
warning: pacman-4.2.1-4 is up to date -- reinstalling
warning: patch-2.7.5-1 is up to date -- reinstalling
warning: pkg-config-0.29-1 is up to date -- reinstalling
warning: sed-4.2.2-3 is up to date -- reinstalling
warning: sudo-1.8.15-1 is up to date -- reinstalling
warning: texinfo-6.0-1 is up to date -- reinstalling
warning: util-linux-2.27.1-1 is up to date -- reinstalling
warning: which-2.21-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (25) autoconf-2.69-2  automake-1.15-1  binutils-2.25.1-3  bison-3.0.4-1  fakeroot-1.20.2-1  file-5.25-1  findutils-4.4.2-6  flex-2.6.0-1  gawk-4.1.3-1
              gcc-5.3.0-3  gettext-0.19.6-2  grep-2.22-1  groff-1.22.3-5  gzip-1.6-1  libtool-2.4.6-4  m4-1.4.17-1  make-4.1-1  pacman-4.2.1-4  patch-2.7.5-1
              pkg-config-0.29-1  sed-4.2.2-3  sudo-1.8.15-1  texinfo-6.0-1  util-linux-2.27.1-1  which-2.21-1

Total Installed Size:  166.11 MiB
Net Upgrade Size:        0.00 MiB

:: Proceed with installation? [Y/n] y
(25/25) checking keys in keyring                                                                    [##########################################################] 100%
(25/25) checking package integrity                                                                  [##########################################################] 100%
(25/25) loading package files                                                                       [##########################################################] 100%
(25/25) checking for file conflicts                                                                 [##########################################################] 100%
(25/25) checking available disk space                                                               [##########################################################] 100%
( 1/25) reinstalling gawk                                                                           [##########################################################] 100%
( 2/25) reinstalling m4                                                                             [##########################################################] 100%
( 3/25) reinstalling autoconf                                                                       [##########################################################] 100%
( 4/25) reinstalling automake                                                                       [##########################################################] 100%
( 5/25) reinstalling binutils                                                                       [##########################################################] 100%
( 6/25) reinstalling bison                                                                          [##########################################################] 100%
( 7/25) reinstalling sed                                                                            [##########################################################] 100%
( 8/25) reinstalling util-linux                                                                     [##########################################################] 100%
( 9/25) reinstalling fakeroot                                                                       [##########################################################] 100%
(10/25) reinstalling file                                                                           [##########################################################] 100%
(11/25) reinstalling findutils                                                                      [##########################################################] 100%
(12/25) reinstalling flex                                                                           [##########################################################] 100%
(13/25) reinstalling gcc                                                                            [##########################################################] 100%
(14/25) reinstalling gettext                                                                        [##########################################################] 100%
(15/25) reinstalling grep                                                                           [##########################################################] 100%
(16/25) reinstalling groff                                                                          [##########################################################] 100%
(17/25) reinstalling gzip                                                                           [##########################################################] 100%
(18/25) reinstalling libtool                                                                        [##########################################################] 100%
(19/25) reinstalling texinfo                                                                        [##########################################################] 100%
(20/25) reinstalling make                                                                           [##########################################################] 100%
(21/25) reinstalling pacman                                                                         [##########################################################] 100%
(22/25) reinstalling patch                                                                          [##########################################################] 100%
(23/25) reinstalling pkg-config                                                                     [##########################################################] 100%
(24/25) reinstalling sudo                                                                           [##########################################################] 100%
(25/25) reinstalling which                                                                          [##########################################################] 100%
[staf@fanny ~]$ 
Install git
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
staf@fanny ~]$ sudo pacman -S git        
warning: git-2.6.4-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) git-2.6.4-1

Total Installed Size:  22.92 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                      [##########################################################] 100%
(1/1) checking package integrity                                                                    [##########################################################] 100%
(1/1) loading package files                                                                         [##########################################################] 100%
(1/1) checking for file conflicts                                                                   [##########################################################] 100%
(1/1) checking available disk space                                                                 [##########################################################] 100%
(1/1) reinstalling git                                                                              [##########################################################] 100%
[staf@fanny ~]$ 
Install package-query
git clone
1
2
3
4
5
6
7
8
[staf@fanny aur]$ git clone https://aur.archlinux.org/package-query.git 
Cloning into 'package-query'...
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 16 (delta 0), reused 16 (delta 0)
Unpacking objects: 100% (16/16), done.
Checking connectivity... done.
[staf@fanny aur]$ 
makepkg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
[staf@fanny aur]$ cd package-query/
[staf@fanny package-query]$ makepkg -sri
==> Making package: package-query 1.7-1 (Fri Dec 25 14:33:39 UTC 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading package-query-1.7.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  380k  100  380k    0     0   413k      0 --:--:-- --:--:-- --:--:--  413k
==> Validating source files with md5sums...
    package-query-1.7.tar.gz ... Passed
==> Extracting sources...
  -> Extracting package-query-1.7.tar.gz with bsdtar
==> Starting build()...
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
<snip>
config.status: executing depfiles commands
config.status: executing libtool commands
config.status: executing po-directories commands

package-query:

  Build information:
    source code location   : .
    prefix                 : /usr
    sysconfdir             : /etc
       conf file           : /etc/pacman.conf
    localstatedir          : /var
       database dir        : /var/lib/pacman/
    compiler               : gcc
    compiler flags         : -march=armv7-a -mfloat-abi=hard -mfpu=vfpv3-d16 -O2 -pipe -fstack-protector --param=ssp-buffer-size=4

    package-query version  : 1.7
    using git version      : no
       git ver             : 

  Variable information:
    root working directory : /
    aur base url           : https://aur.archlinux.org

make  all-recursive
make[1]: Entering directory '/home/staf/git/aur/package-query/src/package-query-1.7'
Making all in src
make[2]: Entering directory '/home/staf/git/aur/package-query/src/package-query-1.7/src'
gcc -DLOCALEDIR=\"/usr/share/locale\" -DCONFFILE=\"/etc/pacman.conf\" -DROOTDIR=\"/\" -DDBPATH=\"/var/lib/pacman/\" -DAUR_BASE_URL=\"https://aur.archlinux.org\" -DHAVE_CONFIG_H  -I. -I..   -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -march=armv7-a -mfloat-abi=hard -mfpu=vfpv3-d16 -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -MT aur.o -MD -MP -MF .deps/aur.Tpo -c -o aur.o aur.c
mv -f .deps/aur.Tpo .deps/aur.Po
gcc -DLOCALEDIR=\"/usr/share/locale\" -DCONFFILE=\"/etc/pacman.conf\" -DROOTDIR=\"/\" -DDBPATH=\"/var/lib/pacman/\" -DAUR_BASE_URL=\"https://aur.archlinux.org\" -DHAVE_CONFIG_H  -I. -I..   -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -march=armv7-a -mfloat-abi=hard -mfpu=vfpv3-d16 -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -MT alpm-query.o -MD -MP -MF .deps/alpm-query.Tpo -c -o alpm-query.o alpm-query.c
alpm-query.c: In function 'alpm_pkg_get_realsize':
 /usr/bin/mkdir -p '/home/staf/git/aur/package-query/pkg/package-query/usr/share/man/man8'
<snip>
 /usr/bin/install -c -m 644 package-query.8 '/home/staf/git/aur/package-query/pkg/package-query/usr/share/man/man8'
make[2]: Leaving directory '/home/staf/git/aur/package-query/src/package-query-1.7/doc'
make[1]: Leaving directory '/home/staf/git/aur/package-query/src/package-query-1.7/doc'
make[1]: Entering directory '/home/staf/git/aur/package-query/src/package-query-1.7'
make[2]: Entering directory '/home/staf/git/aur/package-query/src/package-query-1.7'
make[2]: Nothing to be done for 'install-exec-am'.
make[2]: Nothing to be done for 'install-data-am'.
make[2]: Leaving directory '/home/staf/git/aur/package-query/src/package-query-1.7'
make[1]: Leaving directory '/home/staf/git/aur/package-query/src/package-query-1.7'
==> Tidying install...
  -> Purging unwanted files...
  -> Removing libtool files...
  -> Removing static library files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package "package-query"...
  -> Generating .PKGINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: package-query 1.7-1 (Fri Dec 25 14:34:02 UTC 2015)
==> Installing package package-query with pacman -U...
[sudo] password for staf: 
loading packages...
warning: package-query-1.7-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) package-query-1.7-1

Total Installed Size:  0.07 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                      [##########################################################] 100%
(1/1) checking package integrity                                                                    [##########################################################] 100%
(1/1) loading package files                                                                         [##########################################################] 100%
(1/1) checking for file conflicts                                                                   [##########################################################] 100%
(1/1) checking available disk space                                                                 [##########################################################] 100%
(1/1) reinstalling package-query                                                                    [##########################################################] 100%
[staf@fanny package-query]$ 
Install yaourt
git clone
1
2
3
4
5
6
7
8
9
[staf@fanny package-query]$ cd ~/git/aur   
staf@fanny aur]$ git clone https://aur.archlinux.org/yaourt.git  
Cloning into 'yaourt'...
remote: Counting objects: 14, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 14 (delta 3), reused 14 (delta 3)
Unpacking objects: 100% (14/14), done.
Checking connectivity... done.
[staf@fanny aur]$ 

makepkg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
[staf@fanny yaourt]$ makepkg -sri
==> Making package: yaourt 1.7-1 (Fri Dec 25 14:44:12 UTC 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading yaourt-1.7.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  123k  100  123k    0     0   222k      0 --:--:-- --:--:-- --:--:--  222k
==> Validating source files with md5sums...
    yaourt-1.7.tar.gz ... Passed
==> Extracting sources...
  -> Extracting yaourt-1.7.tar.gz with bsdtar
==> Starting build()...
        GEN yaourt.sh
        GEN pacdiffviewer.sh
        GEN yaourtrc
        GEN lib/util.sh
        GEN lib/pkgbuild.sh
        GEN lib/pacman.sh
        GEN lib/abs.sh
==> Entering fakeroot environment...
==> Starting package()...
/usr/bin/env install -d /home/staf/git/aur/yaourt/pkg/yaourt/usr/bin
/usr/bin/env install -d /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -d /home/staf/git/aur/yaourt/pkg/yaourt/etc
/usr/bin/env install -d /home/staf/git/aur/yaourt/pkg/yaourt/usr/share/bash-completion/completions
/usr/bin/env install -d /home/staf/git/aur/yaourt/pkg/yaourt/usr/share/man/man{5,8}
# Scripts
/usr/bin/env install -m755 yaourt.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/bin/yaourt
/usr/bin/env install -m755 pacdiffviewer.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/bin/pacdiffviewer
# Configuration
/usr/bin/env install -m644 yaourtrc /home/staf/git/aur/yaourt/pkg/yaourt/etc/yaourtrc
/usr/bin/env install -m644 bashcompletion /home/staf/git/aur/yaourt/pkg/yaourt/usr/share/bash-completion/completions/yaourt
# Libs
/usr/bin/env install -m644 lib/alpm_backup.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/alpm_query.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/alpm_stats.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/abs.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/aur.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/util.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/io.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/pacman.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/pkgbuild.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
/usr/bin/env install -m644 lib/misc.sh /home/staf/git/aur/yaourt/pkg/yaourt/usr/lib/yaourt
# Man
/usr/bin/env install -m644 man/*.5 /home/staf/git/aur/yaourt/pkg/yaourt/usr/share/man/man5
/usr/bin/env install -m644 man/*.8 /home/staf/git/aur/yaourt/pkg/yaourt/usr/share/man/man8
# Locales
test -x /usr/bin/msgfmt && for file in po/*/*.po; \
do \
  package=$(echo $file | /bin/sed -e 's#po/\([^/]\+\).*#\1#'); \
  lang=$(echo $file | /bin/sed -e 's#.*/\([^/]\+\).po#\1#'); \
  /usr/bin/env install -d /home/staf/git/aur/yaourt/pkg/yaourt/usr/share/locale/$lang/LC_MESSAGES; \
  /usr/bin/msgfmt -o /home/staf/git/aur/yaourt/pkg/yaourt/usr/share/locale/$lang/LC_MESSAGES/$package.mo $file; \
done
==> Tidying install...
  -> Purging unwanted files...
  -> Removing libtool files...
  -> Removing static library files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package "yaourt"...
  -> Generating .PKGINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: yaourt 1.7-1 (Fri Dec 25 14:44:16 UTC 2015)
==> Installing package yaourt with pacman -U...
[sudo] password for staf: 
loading packages...
warning: yaourt-1.7-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) yaourt-1.7-1

Total Installed Size:  0.72 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                      [##########################################################] 100%
(1/1) checking package integrity                                                                    [##########################################################] 100%
(1/1) loading package files                                                                         [##########################################################] 100%
(1/1) checking for file conflicts                                                                   [##########################################################] 100%
(1/1) checking available disk space                                                                 [##########################################################] 100%
(1/1) reinstalling yaourt                                                                           [##########################################################] 100%
[staf@fanny yaourt]$ 

Install debootstrap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
[staf@fanny ~]$ yaourt debootstrap
1 aur/cdebootstrap-static 0.6.5-1 (10)
    Bootstrap a Debian system
2 aur/debootstrap 1.0.75-1 [installed] (224)
    A tool used to create a Debian base system from scratch, without requiring the availability of dpkg or apt
3 aur/rinse 3.0.2-2 (0)
    Bootstrap a rpm based distribution like debootstrap
==> Enter n° of packages to be installed (ex: 1 2 3 or 1-3)
==> --------------------------------------------------------
==> 2


==> Downloading debootstrap PKGBUILD from AUR...
x .SRCINFO
x .gitignore
x PKGBUILD
zeilenleser commented on 2015-07-29 10:49 
Thanks for maintaining this package.

just for your information, version 1.0.72 is out since 2015-07-28

Regards

zeilenleser commented on 2015-07-29 12:13 
I followed @Tigrouzens suggestion with this modification

DEF_MIRROR="http://mirrors.kernel.org/ubuntu"

Since only DEF_HTTPS_MIRROR is used in my case I don't know if this works. Testing with the browser was successful.

bricewge commented on 2015-12-07 16:58 (last edited on 2015-12-07 16:58 by bricewge) 
@Tigrouzens why don't you want to install ubuntu-keyring?

Your advice didn't work for me, I still had the error about GPG. But after installing gnupg1 and ubuntu-keyring, enrering the following command worked fine.
# debootstrap wily ubuntu https://mirrors.kernel.org/ubuntu

abeutot commented on 2015-12-08 11:57 
Seems like there is a missing dependency to binutils since ar is needed to extract deb packages.

JonnyJD commented on 2015-12-08 12:12 
binutils is in the "base-devel" group which is an implicit requirement before using the AUR altogether:
https://wiki.archlinux.org/index.php/Arch_User_Repository#Prerequisites

debootstrap 1.0.75-1  (2015-11-12 16:15)
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> n

==> debootstrap dependencies:
 - wget (already installed)


==> Continue building debootstrap ? [Y/n]
==> -------------------------------------
==> 
==> Building and installing package
==> Making package: debootstrap 1.0.75-1 (Fri Dec 25 14:48:55 UTC 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading debootstrap_1.0.75_all.deb...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 65978  100 65978    0     0   155k      0 --:--:-- --:--:-- --:--:--  155k
==> Validating source files with md5sums...
    debootstrap_1.0.75_all.deb ... Passed
==> Extracting sources...
  -> Extracting debootstrap_1.0.75_all.deb with bsdtar
==> Entering fakeroot environment...
==> Starting package()...
==> Tidying install...
  -> Purging unwanted files...
  -> Removing libtool files...
  -> Removing static library files...
  -> Compressing man and info pages...
  -> Stripping unneeded symbols from binaries and libraries...
==> Creating package "debootstrap"...
  -> Generating .PKGINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: debootstrap 1.0.75-1 (Fri Dec 25 14:48:57 UTC 2015)

==> Continue installing debootstrap ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y

loading packages...
warning: debootstrap-1.0.75-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) debootstrap-1.0.75-1

Total Installed Size:  0.19 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                      [##########################################################] 100%
(1/1) checking package integrity                                                                    [##########################################################] 100%
(1/1) loading package files                                                                         [##########################################################] 100%
(1/1) checking for file conflicts                                                                   [##########################################################] 100%
(1/1) checking available disk space                                                                 [##########################################################] 100%
(1/1) reinstalling debootstrap                                                                      [##########################################################] 100%
[staf@fanny ~]$ 

gpg keyring

debootrap needs gnupg1 there is an aur available https://aur.archlinux.org/packages/gnupg1/ but armv7h isn’t include in the supported architectures so we’ll need to add it.

Install gnupg1
Git clone
1
2
3
4
5
6
7
8
9
[staf@fanny ~]$ cd ~/git/aur
staf@fanny aur]$ git clone https://aur.archlinux.org/gnupg1.git
Cloning into 'gnupg1'...
remote: Counting objects: 8, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 8 (delta 0), reused 8 (delta 0)
Unpacking objects: 100% (8/8), done.
Checking connectivity... done.
[staf@fanny aur]$ 
Update PKGBUILD

Edit PKGBUILD

1
[staf@fanny gnupg1]$ vi PKGBUILD 

and add armv7h to the arch

1
2
3
4
pkgdesc="GNU Privacy Guard - a PGP replacement tool"
arch=('i686' 'x86_64' 'armv6h' 'armv7h')
license=('GPL3')
depends=('zlib' 'bzip2' 'libldap>=2.4.18' 'libusb-compat' 'curl>=7.16.2' 'readline>=6.0.00')
Update the keyring
1
2
3
4
5
[staf@fanny gnupg1]$ gpg --keyserver pgpkeys.mit.edu --recv-keys 2071B08A33BD3F06 
gpg: key 33BD3F06: "NIIBE Yutaka (GnuPG Release Key) <gniibe@fsij.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
[staf@fanny gnupg1]$ 
makepkg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[staf@fanny gnupg1]$ makepkg -sri
<snip>
  -> Adding install file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: gnupg1 1.4.19-4 (Sat Dec 26 13:49:19 UTC 2015)
==> Installing package gnupg1 with pacman -U...
[sudo] password for staf: 
loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) gnupg1-1.4.19-4

Total Installed Size:  4.97 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                         [##################################################] 100%
(1/1) checking package integrity                                                       [##################################################] 100%
(1/1) loading package files                                                            [##################################################] 100%
(1/1) checking for file conflicts                                                      [##################################################] 100%
(1/1) checking available disk space                                                    [##################################################] 100%
(1/1) installing gnupg1                                                                [##################################################] 100%
[staf@fanny gnupg1]$ 
Install the debian-archive-keyring aur
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
[staf@fanny debian]$ yaourt debian-archive-keyring 
1 aur/debian-archive-keyring 2014.3-2 (59)
    GnuPG archive keys of the Debian archive
==> Enter n° of packages to be installed (ex: 1 2 3 or 1-3)
==> --------------------------------------------------------
==> 1


==> Downloading debian-archive-keyring PKGBUILD from AUR...
x .SRCINFO
x PKGBUILD
eworm commented on 2013-05-13 12:20 
Please use package() function, recent makepkg warns about that.

hcartiaux commented on 2013-05-15 08:00 
Fixed

ansys commented on 2014-10-24 11:31 
New url http://ftp.fr.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2014.1_all.deb

kozaki commented on 2014-12-11 14:58 
Update
url: http://ftp.fr.debian.org/debian/pool/main/d/debian-archive-keyring/debian-archive-keyring_2014.3_all.deb
md5: 02b6818bd7cada9ef9d24534290b559c

Thank you.

debian-archive-keyring 2014.3-2  (2015-06-08 20:20)
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> n

==> debian-archive-keyring dependencies:
 - gnupg (already installed)


==> Continue building debian-archive-keyring ? [Y/n]
==> ------------------------------------------------
==> 
==> Building and installing package
==> Making package: debian-archive-keyring 2014.3-2 (Sat Dec 26 13:02:52 UTC 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading debian-archive-keyring_2014.3_all.deb...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 40060  100 40060    0     0   103k      0 --:--:-- --:--:-- --:--:--  103k
==> Validating source files with md5sums...
    debian-archive-keyring_2014.3_all.deb ... Passed
==> Extracting sources...
  -> Extracting debian-archive-keyring_2014.3_all.deb with bsdtar
==> Entering fakeroot environment...
==> Starting package()...
./
./usr/
./usr/share/
<snip>

==> Continue installing debian-archive-keyring ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y

loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) debian-archive-keyring-2014.3-2

Total Installed Size:  0.07 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                                                                                                                                                                                                                  [##################################################################################################################################################################] 100%
(1/1) checking package integrity                                                                                                                                                                                                                                [##################################################################################################################################################################] 100%
(1/1) loading package files                                                                                                                                                                                                                                     [##################################################################################################################################################################] 100%
(1/1) checking for file conflicts                                                                                                                                                                                                                               [##################################################################################################################################################################] 100%
(1/1) checking available disk space                                                                                                                                                                                                                             [##################################################################################################################################################################] 100%
(1/1) installing debian-archive-keyring                                                                                                                                                                                                                         [##################################################################################################################################################################] 100%
[staf@fanny debian]$ 

debootstrap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[staf@fanny debian]$ sudo debootstrap --verbose --include=iproute,iputils-ping --arch armhf jessie ./jessie-chroot http://http.debian.net/debian/
[staf@fanny debian]$ sudo debootstrap --verbose --include=iproute,iputils-ping --arch armhf jessie ./jessie-chroot http://http.debian.net/debian/
[sudo] password for staf: 
I: Retrieving Release 
I: Retrieving Release.gpg 
I: Checking Release signature
I: Valid Release signature (key id 75DDC3C4A499F1A18CB5F3C8CBF8D6FD518E17E1)
<snip>
I: Configuring libgnutls-openssl27:armhf...
I: Configuring iputils-ping...
I: Configuring isc-dhcp-common...
I: Configuring isc-dhcp-client...
I: Configuring tasksel...
I: Configuring tasksel-data...
I: Configuring libc-bin...
I: Configuring systemd...
I: Base system installed successfully.

Import

1
2
3
4
staf@fanny jessie-chroot]$ sudo tar cpf - . | docker import - debian
[sudo] password for staf: 
1ec165fa2ccb264ab8196b8cd0c339b5d95e1b90879019cde0c633cca738277a
[staf@fanny jessie-chroot]$ 

Try it

1
2
3
4
staf@fanny jessie-chroot]$ docker run -t -i --rm debian /bin/bash
root@81afce29909f:/# cat /etc/debian_version 
8.2
root@81afce29909f:/# 

Have fun …

Links

Protecting Your SSH Keys With SmartCard-HSM

I use a yubi key for my ssh authentication. But I’ve other ssh keys for my remote services so wanted something that allows me to take a backup of my keys see this post for more information on to backup/restore a SmartCard-HSM

Create your first ssh keypair

Verify your smartcard connection

Insert you smartcard and verify the connection, see my previous post if you need more information about the smartcard initialization

1
2
3
4
5
6
7
8
9
10
11
12
13
[staf@vicky ~]$ pkcs11-tool -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Generic Smart Card Reader Interface [Smart Card Reader Interface
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 1.2
  serial num         : DECM0102331
[staf@vicky ~]$ 

Create your keypair

Create your ssh key pair and give the a meaningful label

1
2
3
4
5
6
7
8
9
10
11
12
13
[staf@vicky ~]$ pkcs11-tool --slot 1 --keypairgen --key-type rsa:2048 --label my_ssh_key --login
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      my_ssh_key
  ID:         fca6240eeef8d3156f0c4dfc591b2d938d6104cb
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      my_ssh_key
  ID:         fca6240eeef8d3156f0c4dfc591b2d938d6104cb
  Usage:      encrypt, verify, wrap
[staf@vicky ~]$ 

Extract your public key

We used PKCS11 to generate the keypair, PKCS15 is designed identify users to applications.

Dump the token content

Dump the token content to get the id of your ssh keypair.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
[staf@vicky ~]$ pkcs15-tool -D
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DECM0102331
        Manufacturer ID: www.CardContact.de
        Flags          : 

PIN [UserPIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x81A], local, unblock-disabled, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0x9E], local, change-disabled, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Tries left     : 3

Private EC Key [myfirst_keypair]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x10C], sign, signRecover, derive
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        MD:guid        : {efac9b29-2289-658c-98d1-af5af965d484}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Private RSA Key [my_ssh_key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 2 (0x2)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : fca6240eeef8d3156f0c4dfc591b2d938d6104cb
        MD:guid        : {a272b2ad-ff6f-606c-801a-4153be498018}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public EC Key [myfirst_keypair]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        DirectValue    : <present>

Public RSA Key [my_ssh_key]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : no
        ID             : fca6240eeef8d3156f0c4dfc591b2d938d6104cb
        DirectValue    : <present>

[staf@vicky ~]$ 

Get the public key

1
2
3
4
[staf@vicky ~]$ pkcs15-tool --read-ssh-key fca6240eeef8d3156f0c4dfc591b2d938d6104cb
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWShfPjqh+pU8lCoIhXIXh+cGpSem1iNFH6TuluQQLPiqPIeObCTfqC8q9TjR/2FYzG+3ECdiRr0fiywE9OnzUgJI5oOjXfMwY3xE1PbYBrSvYERofhkEv2ejlyRifN3sbLGSU0V7pX+BNOuiJCquCehPMV9+ehkjbk9hPRFUzL1GywsOkmWUoIzrdjH0dlhPX3TUCdoizWAIdUqg+RX4DCEc52RvaGdX4Tn2THxeffXqFJ/gKkParZSLmOND1iRhtJeJ8CmgAqfD8ReshbcSs231h/QvUl3JaThcrLbPrSQFzVUH+rN+pGlSl722NWyPNPWlwwE+SreTLbQRoWayN my_ssh_key
[staf@vicky ~]$ 

Configure the remote host

Add the key to the remote host

1
2
staf@vicky .ssh]$ vi authorized_keys 
[staf@vicky .ssh]$ 

Test the connection

Test you ssh connection with the PKCS11 interface:

1
2
[staf@vicky ~]$ ssh localhost
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

With the PKCS11 interface enabled:

1
2
3
4
5
6
7
8
[staf@vicky ~]$ ssh -o "PKCS11Provider opensc-pkcs11.so" localhost
C_GetAttributeValue failed: 18
Enter PIN for 'SmartCard-HSM (UserPIN)': 
Last login: Thu Dec  3 09:55:23 2015 from ::1
gpg-agent[17327]: enabled debug flags: command cache ipc
gpg-agent: a gpg-agent is already running - not starting a new one
gpg-agent: secmem usage: 0/32768 bytes in 0 blocks
[staf@vicky ~]$ 

Update your ssh_config

Add PKCS11Provider opensc-pkcs11.so to your ~/.ssh/config or your global ssh_config

1
2
3
4
staf@vicky ~]$ cd .ssh/
[staf@vicky .ssh]$ vim config
PKCS11Provider opensc-pkcs11.so
[staf@vicky .ssh]$ 

Have fun …

Starting to Protect My Private Keys With SmartCard-Hsm

I still have too many private keys on a local filesystem, I started to use the yubikey neo for my ssh authentication. Mainly because the nice formfactor of the yubikey.

For my other private keys/data I was looking for something cheeper since I need to have a backup of my secured data so I bought a few Smartcard-HSM smartcards they cost 16 € each while a yubi-key neo cost 54 € at amazon.de

Preparing Backup and Restore

The Smartcard-HSM has a backup/restore functionality this needs to be enabled before any keys are generated on the HSM.

To store our Device Key Encryption Key (DKEK) securely we need a safe place, we’ll use an ecrypted usb stick.

It'is possible to configure multiple DKEK shares e.g. you will need multiple keys to perform a backup restore you might want to store these DKEK shares over multiple (encrypted) USB sticks/people.

If you want to create a backup of your DKEK shares we need to store at least two encrypted USB sticks.

For the convenience we’ll store all DKEK shares on 1 encrypted USB stick in the example below you should executed it on an secured computer.

Install opensc

1
2
3
4
5
6
7
staf@vicky ~]$ sudo dnf install opensc
Last metadata expiration check performed 0:23:14 ago on Wed Nov 11 14:47:21 2015.
Package opensc-0.15.0-2.fc23.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
[staf@vicky ~]$ 

Create an encrypted USB key stick

Write random data to the USB stick

1
2
3
4
5
6
7
[staf@vicky ~]$ sudo dd if=/dev/urandom of=/dev/sdn bs=1024
[sudo] password for staf:                                                                                      
dd: error writing ‘/dev/sdn’: No space left on device                                                          
4029441+0 records in                                                                                           
4029440+0 records out                                                                                          
4126146560 bytes (4.1 GB) copied, 1280.14 s, 3.2 MB/s                                                          
[staf@vicky ~]$ 

luksFormat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[staf@vicky ~]$ sudo cryptsetup luksFormat --cipher serpent-cbc-essiv:sha256 --key-size 256 /dev/sdn

WARNING!
========
This will overwrite data on /dev/sdn irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
[staf@vicky ~]$ sudo cry
cryptoflex-tool  cryptsetup       crywrap          
[staf@vicky ~]$ sudo cryptsetup luksOpen /dev/sdn myprivatedata
Enter passphrase for /dev/sdn: 
[staf@vicky ~]$ 

luksOpen

1
2
3
[staf@vicky ~]$ sudo cryptsetup luksOpen /dev/sdn myprivatedata
Enter passphrase for /dev/sdn: 
[staf@vicky ~]$ 

mkfs

1
2
3
4
5
6
7
8
9
10
11
12
13
[staf@vicky ~]$ sudo mkfs.ext4 /dev/mapper/myprivatedata
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 1007360 4k blocks and 251968 inodes
Filesystem UUID: 49390936-49e3-4606-abf2-567c3f5b50e1
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done 

[staf@vicky ~]$ 

Verify the encrypted USB stick

To verify that the USB stick is encrypted and we can’t mount without typing our passphrase we’ll close the luks device and mount it.

luksClose

1
2
3
[staf@vicky ~]$ sudo cryptsetup luksClose myprivatedata
[sudo] password for staf: 
[staf@vicky ~]$ 

Try to mount it without luksOpen

1
2
3
[staf@vicky ~]$ sudo mount /dev/sdn /mnt
mount: unknown filesystem type 'crypto_LUKS'
[staf@vicky ~]$ 

Mount it with luksOpen / mount

1
2
3
4
[staf@vicky ~]$ sudo cryptsetup luksOpen /dev/sdn myhsm_dkek
Enter passphrase for /dev/sdn: 
[staf@vicky ~]$ sudo mount /dev/mapper/myhsm_dkek /mnt
[staf@vicky ~]$ 

update the ownership

Update the usb stick ownership

1
2
3
[staf@vicky mnt]$ sudo chown staf:staf .
[sudo] password for staf: 
[staf@vicky mnt]$ 

SmartCard initialization

pcsc_scan

start the pcscd service

Start/enable the pcscd service if didn’t enable it before

1
2
3
4
5
root@vicky ~]# systemctl list-unit-files -t service | grep pcscd
pcscd.service                               static  
[root@vicky ~]# systemctl start pcscd
[root@vicky ~]# systemctl enable pcscd
[root@vicky ~]# 

run pcsc_scan

Insert the smartcard into the read, run pcsc_scan to verify that you see the smartcard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[staf@vicky mnt]$ pcsc_scan                    
PC/SC device scanner
V 1.4.23 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.13
Using reader plug'n play mechanism
Scanning present readers...
0: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

Wed Nov 11 10:58:59 2015
Reader 0: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
  Card state: Card inserted, 
  ATR: 3B FE 18 00 00 81 31 FE 45 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 FA

ATR: 3B FE 18 00 00 81 31 FE 45 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 FA
+ TS = 3B --> Direct Convention
+ T0 = FE, Y(1): 1111, K: 14 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s                                                     
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
+ Historical bytes: 80 31 81 54 48 53 4D 31 73 80 21 40 81 07
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: 81
        - Application selection: by full DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card without MF
    Tag: 5, len: 4 (card issuer's data)
      Card issuer data: 48 53 4D 31
    Tag: 7, len: 3 (card capabilities)
      Selection methods: 80
        - DF selection by full DF name
      Data coding byte: 21
        - Behaviour of write functions: proprietary
        - Value 'FF' for the first byte of BER-TLV tag fields: invalid
        - Data unit in quartets: 2
      Command chaining, length fields and logical channels: 40
        - Extended Lc and Le fields
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 1
    Tag: 8, len: 1 (status indicator)
      LCS (life card cycle): 07
+ TCK = FA (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FE 18 00 00 81 31 FE 45 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 FA
        Smartcard-HSM
        http://www.cardcontact.de/products/sc-hsm.html

Initialize the first smartcard

Create two DKEK shares

  • 1st share;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[staf@vicky mnt]$ sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

The DKEK share will be enciphered using a key derived from a user supplied password.
The security of the DKEK share relies on a well chosen and sufficiently long password.
The recommended length is more than 10 characters, which are mixed letters, numbers and
symbols.

Please keep the generated DKEK share file in a safe location. We also recommend to keep a
paper printout, in case the electronic version becomes unavailable. A printable version
of the file can be generated using "openssl base64 -in <filename>".
Enter password to encrypt DKEK share : 

Please retype password to confirm : 

Passwords do not match. Please retry.
Enter password to encrypt DKEK share : 
[staf@vicky mnt]$ sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

The DKEK share will be enciphered using a key derived from a user supplied password.
The security of the DKEK share relies on a well chosen and sufficiently long password.
The recommended length is more than 10 characters, which are mixed letters, numbers and
symbols.

Please keep the generated DKEK share file in a safe location. We also recommend to keep a
paper printout, in case the electronic version becomes unavailable. A printable version
of the file can be generated using "openssl base64 -in <filename>".
Enter password to encrypt DKEK share : 

Please retype password to confirm : 

Enciphering DKEK share, please wait...
DKEK share created and saved to dkek-share-1.pbe
[staf@vicky mnt]$ 
  • 2nd share;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[staf@vicky mnt]$ sc-hsm-tool --create-dkek-share dkek-share-2.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

The DKEK share will be enciphered using a key derived from a user supplied password.
The security of the DKEK share relies on a well chosen and sufficiently long password.
The recommended length is more than 10 characters, which are mixed letters, numbers and
symbols.

Please keep the generated DKEK share file in a safe location. We also recommend to keep a
paper printout, in case the electronic version becomes unavailable. A printable version
of the file can be generated using "openssl base64 -in <filename>".
Enter password to encrypt DKEK share : 

Please retype password to confirm : 
[staf@vicky mnt]$ sc-hsm-tool --create-dkek-share dkek-share-2.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

The DKEK share will be enciphered using a key derived from a user supplied password.
The security of the DKEK share relies on a well chosen and sufficiently long password.
The recommended length is more than 10 characters, which are mixed letters, numbers and
symbols.

Please keep the generated DKEK share file in a safe location. We also recommend to keep a
paper printout, in case the electronic version becomes unavailable. A printable version
of the file can be generated using "openssl base64 -in <filename>".
Enter password to encrypt DKEK share : 

Please retype password to confirm : 

Enciphering DKEK share, please wait...
DKEK share created and saved to dkek-share-2.pbe
[staf@vicky mnt]$ 

If you want a backup of DKEK shares copy them to another (encrypted) USB stick(s).

Initialize the SmartCard

  • Initialize

Use sc-hsm-tool to Intialize the smartcard and specify the number DKEK shares that you’ll use. You’ll need to pick a PIN code for the “security officer” and the “user”.

If you forget the so-pin you can not reinitialize the smartcard again so be sure that you pick so-pin that you can remember or write it down and store it on secure location. The so-pin has to be 16 digits long.

The sc-hsm-tool only asks for the PIN code ones so be sure that you know what you have typed. If you don’t know it you smartcard becomes trash…

It possible to specify the pin code with “–so-pin” and “–pin” argument but this leaves the pin code in your shell history or in the process list…

1
2
3
4
5
6
7
[staf@vicky mnt]$ sc-hsm-tool --initialize --dkek-shares 2
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter SO-PIN (16 hexadecimal characters) : 

Enter initial User-PIN (6 - 16 characters) : 

[staf@vicky mnt]$ 

If you execute the sc-hsm-tool command you’ll see that the DKEK shares are still missing;

1
2
3
4
5
6
7
[staf@vicky mnt]$ sc-hsm-tool 
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Version              : 1.2
User PIN tries left  : 3
DKEK shares          : 2
DKEK import pending, 2 share(s) still missing
[staf@vicky mnt]$ 
  • import the dkek shares
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[staf@vicky mnt]$ sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 2
DKEK import pending, 1 share(s) still missing
[staf@vicky mnt]$ sc-hsm-tool --import-dkek-share dkek-share-2.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 2
DKEK key check value : 2C63E9E5D6FE0B8C
[staf@vicky mnt]$ 

test the user and so pin

list the pkcs#11 slots

1
2
3
4
5
6
7
8
9
10
11
12
13
[staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Generic Smart Card Reader Interface [Smart Card Reader Interface
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 1.2
  serial num         : DECM0102332
[staf@vicky mnt]$ 

test the user pin;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so --slot 1 --login --test
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
Signatures: no private key found in this slot
Verify (currently only for RSA):
  No private key found for testing
Unwrap: not implemented
Decryption (RSA)
No errors
[staf@vicky mnt]$ 

test the so pin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so --slot 1 --login --test --login-type so
Logging in to "SmartCard-HSM (UserPIN)".
Please enter SO PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures: not logged in, skipping signature tests
Verify: not logged in, skipping verify tests
Key unwrap: not a R/W session, skipping key unwrap tests
Decryption: not logged in, skipping decryption tests
No errors
[staf@vicky mnt]$ 

Create your first keypair

create key pair

The command below an Elliptic Curve Cryptography (ECC) key pair.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so --keypairgen --key-type EC:prime256v1 --label myfirst_keypair --login
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; EC
  label:      myfirst_keypair
  ID:         ae79417e809ed19b9a69d4c14f444462ad0bd66c
  Usage:      sign, derive
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104f8ead77d1411e016196141d9d1f747a481aec4be40d1f8822d26d407fee05902082e18843ee58db4f5575b19ff243a735b66b2c91adbec1a59aeacc7c1ae8b52
  EC_PARAMS:  06082a8648ce3d030107
  label:      myfirst_keypair
  ID:         ae79417e809ed19b9a69d4c14f444462ad0bd66c
  Usage:      verify
[staf@vicky mnt]$ 

list objects

list the objects to verif that your keypair in on the smartcard

1
2
3
4
5
6
7
8
9
staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so --list-objects
Using slot 1 with a present token (0x1)
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104f8ead77d1411e016196141d9d1f747a481aec4be40d1f8822d26d407fee05902082e18843ee58db4f5575b19ff243a735b66b2c91adbec1a59aeacc7c1ae8b52
  EC_PARAMS:  06082a8648ce3d030107
  label:      myfirst_keypair
  ID:         ae79417e809ed19b9a69d4c14f444462ad0bd66c
  Usage:      none
[staf@vicky mnt]$ 

Copy objects to another smartcard

Backup

To create a backup of our keys or data we need to extract it from the smartcard and copy it to another. To store the object temporary we can use an encrypted filesystem or even a ram disk on a secured computer.

For security reasons you might want to separate your DKEK share from you key backups, For the convenience we’ll store everything on an encrypted USB stick.

get the object reference

First we need to find the object reference

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[staf@vicky mnt]$ pkcs15-tool -D
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DECM0102332
        Manufacturer ID: www.CardContact.de
        Flags          : 

PIN [UserPIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x81A], local, unblock-disabled, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0x9E], local, change-disabled, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Tries left     : 3

Private EC Key [myfirst_keypair]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x10C], sign, signRecover, derive
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        MD:guid        : {3a03d245-ea49-1da1-d8cd-f2ced0526400}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public EC Key [myfirst_keypair]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        DirectValue    : <present>

[staf@vicky mnt]$ pkcs15-tool -D

extract the object(s)

1
2
3
4
5
6
7
8
9
10
11
[staf@vicky mnt]$ sc-hsm-tool --wrap-key private_myfirst_keypair --key-reference 1 
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter User PIN : 

[staf@vicky mnt]$ ls -l
total 28
-rw-r--r-- 1 swagemakers backup    64 Nov 11 13:42 dkek-share-1.pbe
-rw-r--r-- 1 swagemakers backup    64 Nov 11 13:42 dkek-share-2.pbe
drwx------ 2 root        root   16384 Nov 11 13:37 lost+found
-rw-rw-r-- 1 staf        staf     926 Nov 11 14:05 private_myfirst_keypair
[staf@vicky mnt]$ 

Please not that we only need to copy the private key, the backup object also contains the public keypair.

Initialize a second smartcard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[staf@vicky mnt]$ sc-hsm-tool --initialize --dkek-shares 2
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter SO-PIN (16 hexadecimal characters) : 

Enter initial User-PIN (6 - 16 characters) : 

[staf@vicky mnt]$ sc-hsm-tool 
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Version              : 1.2
User PIN tries left  : 3
DKEK shares          : 2
DKEK import pending, 2 share(s) still missing
[staf@vicky mnt]$ sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 2
DKEK import pending, 1 share(s) still missing
[staf@vicky mnt]$ sc-hsm-tool --import-dkek-share dkek-share-2.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 2
DKEK key check value : 2C63E9E5D6FE0B8C
[staf@vicky mnt]$ 

Store the key pair

It’s possible to write the private object to another smartcard with the same DKEK shares.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[staf@vicky mnt]$ sc-hsm-tool --unwrap-key private_myfirst_keypair --key-reference 1
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Wrapped key contains:
  Key blob
  Private Key Description (PRKD)
  Certificate
Enter User PIN : 

Key successfully imported
[staf@vicky mnt]$ pkcs11-tool --list-objects 
Using slot 1 with a present token (0x1)
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104f8ead77d1411e016196141d9d1f747a481aec4be40d1f8822d26d407fee05902082e18843ee58db4f5575b19ff243a735b66b2c91adbec1a59aeacc7c1ae8b52
  EC_PARAMS:  06082a8648ce3d030107
  label:      myfirst_keypair
  ID:         ae79417e809ed19b9a69d4c14f444462ad0bd66c
  Usage:      none
[staf@vicky mnt]$ pkcs15-tool -D
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DECM0102330
        Manufacturer ID: www.CardContact.de
        Flags          : 

PIN [UserPIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x81A], local, unblock-disabled, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0x9E], local, change-disabled, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Tries left     : 3

Private EC Key [myfirst_keypair]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x10C], sign, signRecover, derive
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        MD:guid        : {8e96ad75-4f6c-eb5e-6bb3-4a637bbcda50}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public EC Key [myfirst_keypair]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        DirectValue    : <present>

[staf@vicky mnt]$ 

Done…

We have a backup to our second smartcard and an ecrypted backup of the key on the usb, umount the backup and store it to a safe location.

1
2
3
4
5
6
7
8
[staf@vicky ~]$ mount | grep mnt
/dev/mapper/my on /mnt type ext4 (rw,relatime,data=ordered)
[staf@vicky ~]$ umount /mnt
umount: /mnt: umount failed: Operation not permitted
[staf@vicky ~]$ sudo umount /mnt
[sudo] password for staf: 
[staf@vicky ~]$ sudo cryptsetup luksClose my
[staf@vicky ~]$ 

I might publish some smartcard-hsm usage examples in the further….

Links

https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM

Rataplan Becomes a Watchdog

My NAS runs on FreeBSD I’m quiet happy with it. It’s named after the dog rataplan from the Lucky Luke comic

However transferring large data files to it causes the network to hang. The realtek network interface had issues with freebsd from the beginning. On the screen and in syslog the entry “re0: watchdog timeout” is printed.

Most FreeBSD people recommends to use Intel nics, I ordered a new Intel nic at dx.com. After the installation of the new NIC the network seems to be stable again.