Kevux Systems
Turtle Kevux - Documentation - Additional Notes
Home
Documentation
Software Listing
Booting & Running
Installing Turtle Kevux
System Configuration
Server Configuration
Additional Notes
Credits

Space Considerations

Note: Small Total Represents the amount of space taken with only 1 set of kernel modules and without the documentation, toolchain and checksums.
Everything Build
Root Directory Size (MB)
bin 244
boot 20
checksum 84
documentation 311
etc 4.7
firmware 40
home 8
lib 578
modules 59
sbin 50
share 371
toolchain 221
Total 1986.46875
(1.93991 GB)
Small Total 1371.69531
(1.33954)
Squashed Total 588.82812
Squashed Small Total 485.13281

Key Space Consumers for "lib"
Directory Size (MB)
Image Magick 3.5
X11 (xorg) 46
abiword-2.8 2.2
avifile-0.7 1.1
claws-mail 1.3
gegl-0.0 (gimp) 1.7
gimp 6.3
git-core 6.2
gtk-2.0 1.3
libgphoto2 2.1
mysql 9.7
perl5 56
php 15
postgresql 4.3
purple-2 (pidgin) 4.2
python2.6 66
sane 6.1
seamonkey-2.0 38
sox 1.1
tcl8.5 18
tk8.5 9.6
transcode 2.3
wireshark 3.3
xfce4 3.2
xine 4.9
xtables 1.0
Desktop Build
Root Directory Size (MB)
bin 85
boot 21
checksum 28
documentation 66
etc 3.7
firmware 41
home 0.90234
lib 236
sbin 17
share 167
toolchain 296
modules 54
Total 1011.93359
(0.98821 GB)
Small Total 623.23437
(0.60862 GB)
Squashed Total 282.63281
Squashed Small Total 203.26953

Key Space Consumers for "share"
Directory Size (MB)
abiword-2.8 8.3
alsa 5.2
aspell 5.0
dvb 3.6
fonts 19
freedroidrpg 178
gimp 6.2
git-gui 1.1
icons 31
kbd 2.8
lbreakout2 4.4
link-grammar 1.4
mime 3.0
misc 1.8
multitalk 2.0
nmap 5.8
orage 4.0
poppler 13
postgresql 2.9
pygobject 1.2
pygtk 1.3
sane 1.6
sounds 1.8
themes (xfce) 6
vim 17
wireshark 12
wv 1.9
xfce4 2.6
xine 2.0
qemu 4.0


SSH Handshaking

This will assume that you are on the client machine and need to connect to a server and have working ssh access to the server.

  • Step 1, generate the key (-d is for DSA, no -d is for RSA)
      ssh-keygen -d

  • Step 2, Skipping password, just press enter on password prompt to leave it empty so that passwordless handshaking can work.
      This should create the .ssh/id_dsa and the .ssh/id_dsa.pub files, and this may take some time, depending on your hardware.

  • Step 3, Put the necessary files on the remote server to do the handshaking with
      username = your username to connect to the server
      remotehost = the address used to connect to the server
      /yourhome/directiry = the path to your home directory

      scp .ssh/id_dsa.pub username@remotehost:/yourhome/directory/
      ssh username@remotehost
      mkdir -p ~/.ssh/
      cat ~/id_dsa.pub >> ~/.ssh/authorized_keys

  • Step 4, now you can delete the id_dsa.pub file from the remote host and exit.
      rm id_dsa.pub
      exit

  • Step 5, DONE
      You should be able to ssh to the remote host without a password now, given that the .ssh/id_dsa file and the .ssh/id_dsa.pub file exist on your client machine for the user you intend to connect with.

  • Adding SSHFS on top of the SSH Handshaking
      See the SSH Handshaking above first
      Now that you can handshake from the above example, you should now be able to run the sshfs command and even put it in a logon or boot script, without exposing your password

  • Mounting from sshfs
      sshfs username@remotehost:/remote/directory/ /local/directory/

  • Unmounting from sshfs
      fusermount -u /local/directory/

  • If you did not use the SSH Handshaking above, then you will be prompted for a password on the sshfs command
  • If you did use the SSH Handshaking above, and are still being asked for a password, then there is a problem with the RSA/DSA keys
  • This password will still be prompted for any other client you use that does NOT have the private .ssh/id_dsa key

  • Encrypted Booting

    The encrypted boot process potentially requires additional files to exist on the boot device.
    This explains what those files are and how to configure these files.

    Inside of the effective /boot/ directory of the boot device there needs to be a /settings/ directory.
    Inside this directory there are currently only a few types of files searched for:

    1. Files that end in: .device
    2. Files that end in: .key
    3. Files that end in: .ask
    At this time only a limited set of device files are supported and they are:
    The only thing allowed inside of these files are the name of device to be decrypted.
    Allowed names are anything allowed by the mount command, such as:
    There should be nothing else inside of these files.

    The .key and .ask files are optional and must have the same name as the particular device file they represent.
    For example, for rootfs.device an ask file would be: rootfs.ask.

    The .key and .ask files determine how a particular device is decrypted.
    If a .ask file exists for a particular device, then during the boot process a prompt for the password will be presented to the user.
    If a .key file exists then that file is expected to contain the key that will be used to decrypt the drive.
    This key will allow for automatic decryption during boot.
    If both a .key file and a .ask file exist, then the .key will be processed first.
    If that .key file fails to decrypt the drive, then the user will be asked to enter in the password to decrypt.

    Important boot commands to pay attention to when dealing with encrypted booting are:

    The only device encryption supported at this time is LUKS.


    Encrypting a Drive

    WARNING: Creating an encrypted drive requires formatting a device, which will delete all data on that device.

    Lets say you wanted to encrypt a partition (/dev/sda6) and use a key file.

    1. Fill the drive with random data (this will delete all data on the device /dev/sda6):
      dd if=/dev/urandom of=/dev/sda6

    2. Create a keyfile using randomly generated data:
      dd if=/dev/urandom of=~/some.key bs=1c count=512

    3. Use the keyfile to encrypt the device with LUKS encryption:
      cryptsetup -c aes-xts-plain:sha512 -s 512 luksFormat /dev/sda6 ~/some.key

      Alternatively, try this encryption:
      cryptsetup -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/sda6 ~/some.key

    4. Now that the device is encrypted, decrypt the device so that the device can be properly formatted (calling the decrypted device: some_name_here):
      cryptsetup luksOpen /dev/sda6 some_name_here -d ~/some-key

    5. Format the decypted device (this example format creates an ext4 filesystem with a label of: some_fs_label):
      mkfs.ext4 -L some_fs_label /dev/mapper/some_name_here


    Lets say you wanted to encrypt a partition (/dev/sda6) and use a password.
    1. Fill the drive with random data (this will delete all data on the device /dev/sda6):
      dd if=/dev/urandom of=/dev/sda6

    2. Encrypt the device with LUKS encryption:
      cryptsetup -c aes-xts-plain:sha512 -y -s 512 luksFormat /dev/sda6
      Then enter in your desired password when prompted.

      Alternatively, try this encryption:
      cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda6

    3. Now that the device is encrypted, decrypt the device so that the device can be properly formatted (calling the decrypted device: some_name_here):
      cryptsetup luksOpen /dev/sda6 some_name_here
      Enter in the password you used in the previous step when prompted.

    4. Format the decypted device (this example format creates an ext4 filesystem with a label of: some_fs_label):
      mkfs.ext4 -L some_fs_label /dev/mapper/some_name_here


    Lets say you wanted add a new key to an existing encrypted device.
    1. If not already created, create a new key using random data:
      dd if=/dev/urandom of=~/new.key bs=1c count=512

    2. Add the new key (Assuming that the old key is called old.key and is stored in your home directory):
      cryptsetup -d ~/old.key luksAddKey /dev/sda6 ~/new.key

      If the encrypted device did not use a key, then use the following command instead and enter in the appropriate password when prompted:
      cryptsetup luksAddKey /dev/sda6 ~/new.key


    Lets say you wanted add a new password to an existing encrypted device.
    1. Add the new key (Assuming that the old key is called old.key and is stored in your home directory):
      cryptsetup -d ~/old.key luksAddKey /dev/sda6
      Then enter in your desired password when prompted.

      If the encrypted device did not use a key, then use the following command instead:
      cryptsetup luksAddKey /dev/sda6
      You will first be prompted for the decryption password, enter in that first.
      Enter in the new password after the first password properly decrypts the device.

    Lets say you wanted delete an existing password or key file from the drive.
    1. Both the password and the key file are stored in slots.
      In order to delete either of these, you will need to know which slot to delete.
      This information can be found by decrypting a device with the key or password you wish to delete.
      Whenever the device gets decrypted a message should be presented, stating which key slot was used.

      Once you have the propery slot identified (lets call this desired_slot), delete that slot (Assuming that the old key is called old.key and is stored in your home directory): cryptsetup -d ~/old.key luksDelKey /dev/sda6 desired_slot

      If the encrypted device did not use a key, then use the following command instead:
      cryptsetup luksDelKey /dev/sda6 desired_slot
      Enter in the decryption password when prompted.

    To learn how to encrypt using LUKS in detail, visit the LUKS website.