Dejice Jacob: University of Glasgowhttp://www.dcs.gla.ac.uk/~jacobd/Dejice Jacob's research profileenContents © 2025 <a href="mailto:dejice.jacob@glasgow.ac.uk">Dejice Jacob</a> Wed, 29 Jan 2025 17:55:22 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssA gentoo installation story - continued!http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/a-gentoo-installation-story-continued/Dejice Jacob<h3>The birth of a Gentoo Linux KDE Desktop</h3> <p>I have previously journaled (<a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story">Part-I</a>) my attempt to create an encrypted Gentoo Linux desktop. Please follow that first. It was a little more involved than I expected. I had to revisit some of the steps one or two times. Some of the steps in that post might better fit in this post. But hindsight is a wonderful thing. Now we come to building out what the general public think of as a computer (the Desktop). </p> <h3>Install some useful utilities</h3> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>eselect<span class="w"> </span>profile<span class="w"> </span>list<span class="w"> </span><span class="c1"># to get a list of desktop profiles </span> localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>eselect<span class="w"> </span>profile<span class="w"> </span><span class="nb">set</span><span class="w"> </span>&lt;KDE-openrc&gt;<span class="w"> </span><span class="c1"># I will also setup i3 tiling window manager</span> localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Europe/London"</span><span class="w"> </span>&gt;<span class="w"> </span>/etc/timezone localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--sync<span class="w"> </span> localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--quiet-build<span class="w"> </span>--ask<span class="w"> </span>--config<span class="w"> </span>sys-libs/timezone-data<span class="w"> </span> localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--quiet-build<span class="w"> </span>--ask<span class="w"> </span>app-misc/screen<span class="w"> </span>sys-process/htop </pre></div> <h5>Setup WiFi (Optional)</h5> <p>In (<a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story">Part-I</a>), I already had ethernet and used that for installation. However, if WiFi is something that is required, then the following instructions should set up WiFi. Bear in mind that WiFi drivers could be missing from your kernel configuration. Searching the <a href="https://forums.gentoo.org">Gentoo forums</a> for a similar issue would be helpful. </p> <p>I will be installing <code>network-manager</code> later on and will have to disable both <em>dhcpcd</em> and <em>wpa-supplicant</em>. If we forget, then we will have two instances of DHCP and WiFi daemons duelling each other. </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--quiet-build<span class="w"> </span>--ask<span class="w"> </span>net-misc/dhcpcd localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--verbose<span class="w"> </span>net-wireless/wpa_supplicant localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>cp<span class="w"> </span>/usr/share/dhcpcd/hooks/10-wpa_supplicant<span class="w"> </span>/lib/dhcpcd/dhcpcd-hooks/ localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>bzcat<span class="w"> </span>/usr/share/doc/wpa_supplicant-&lt;ver-no&gt;/wpa-supplicant.conf.bz2<span class="w"> </span>&gt;<span class="w"> </span>/etc/wpa_supplicant/wpa_supplicant.conf </pre></div> <p>Almost all variations of a wpa-supplicant configuration can be obtained from "<em>/usr/share/doc/wpa_supplicant-<ver-no>/wpa_supplicant.conf.bz2</ver-no></em>". Uncomment the following in <code>/etc/wpa_supplicant/wpa_supplicant.conf</code>. </p> <div class="code"><pre class="code literal-block"><span class="nv">ctrl_interface</span><span class="o">=</span><span class="nv">DIR</span><span class="o">=</span>/var/run/wpa_supplicant<span class="w"> </span><span class="nv">GROUP</span><span class="o">=</span>wheel <span class="nv">eapol_version</span><span class="o">=</span><span class="m">1</span> <span class="nv">ap_scan</span><span class="o">=</span><span class="m">1</span> <span class="nv">fast_reauth</span><span class="o">=</span><span class="m">1</span> </pre></div> <p>Also generate the network connection parameters and insert into <code>wpa_supplicant.conf</code> using <code>wpa_passphrase</code> and remove every other configuration in that file. In case you have a more complicated set-up, then you will have to configure this according to your setup. </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>wpa_passphrase<span class="w"> </span><span class="si">${</span><span class="nv">ssid</span><span class="si">}</span><span class="w"> </span><span class="si">${</span><span class="nv">passphrase</span><span class="si">}</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/wpa_supplicant/wpa_supplicant.conf </pre></div> <p>Change the value of <code>wpa_supplicant_args</code> in <code>/etc/conf.d/wpa_supplicant.conf</code> to: </p> <div class="code"><pre class="code literal-block"><span class="nv">wpa_supplicant_args</span><span class="o">=</span><span class="s2">"-B -M -c/etc/wpa_supplicant/wpa_supplicant.conf"</span> </pre></div> <p>Now add the <code>dhcpcd</code> and <code>wpa_supplicant</code> services to default runlevel and start the services. </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>dhcpcd<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>wpa_supplicant<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>dhcpcd<span class="w"> </span>start localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>wpa_supplicant<span class="w"> </span>start </pre></div> <h5><a href="https://wiki.gentoo.org/wiki/Ntp#Ntpd">Setting up NTP</a></h5> <p>Networking and "time" dependent programs require accurate date and time information. This is achieved by installing <strong>NTPD</strong>. </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>net-misc/ntp localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>ntpd<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>ntpd<span class="w"> </span>start </pre></div> <p><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/0/05/Gentoo_Live_GUI_USB_running_KDE.png/640px-Gentoo_Live_GUI_USB_running_KDE.png" title="A Gentoo KDE Desktop" alt="Gentoo KDE desktop"> </p> <h3><a href="https://wiki.gentoo.org/wiki/KDE">Install the KDE desktop</a></h3> <p>While Wayland seems to be the future, I am still quite comfortable with the <code>X</code> server. It also helps that the <code>i3wm</code> window manager also is dependent on <code>X-sever</code>. The <strong>KDE</strong> meta-package is comprehensive and installs all the KDE applications and dependencies. </p> <div class="code"><pre class="code literal-block">localhost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>kde-plasma/plasma-meta </pre></div> <p>Ensure that the KDE display manager <code>sddm</code> is installed; then ensure that the "<strong>DISPLAYMANAGER</strong>" variable is set to <em>sddm</em>. </p> <div class="code"><pre class="code literal-block"><span class="nv">DISPLAYMANAGER</span><span class="o">=</span><span class="s2">"sddm"</span> </pre></div> <p>Add the requisite services to openrc to start at boot, </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>dbus<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>display-manager<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>elogind<span class="w"> </span>boot </pre></div> <p><img src="https://media2.giphy.com/media/v1.Y2lkPTc5MGI3NjExc2t3czJ2YTF6MHJheGRlNHplenlmbGhpN214Mng3czBrcnQya203dCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/DUtVdGeIU8lmo/giphy.gif" title="Restarting always works!" alt="IT crowd"> In my case, at this point, I found that just starting up the boot displaymanager from <em>openrc</em> did not get <code>sddm</code> to start. Rebooting the machine sorted the crashing display manager out. </p> <h5>Debugging: <a href="https://wiki.gentoo.org/wiki/X_server">Install <em>X-server</em></a></h5> <p>If there are any problems with bringing up KDE, using X-server to debug the issue is very useful. In case it was not already installed when <em>KDE-meta</em> was installed, start with installing X-server and driver packages.</p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--verbose<span class="w"> </span>x11-base/xorg-drivers<span class="w"> </span>x11-base/xorg-server </pre></div> <p>To test out that the X-server is working correctly install a few <strong>X</strong> applications</p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>-a<span class="w"> </span>x11-terms/xterm<span class="w"> </span>x11-apps/xclock<span class="w"> </span>x11-wm/twm localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>startx<span class="w"> </span><span class="c1"># to test if display server is working</span> </pre></div> <h5>Sidenote: Uninstall dhcp and wpa-supplicant</h5> <p>Keeping <code>dhcpcd</code> and <code>wpa-supplicant</code> running in the background led me to some incredibly annoying and hard to debug problems with networking. The KDE deskptop already installs <code>NetworkManager</code> and this will in turn call an instance of <em>dhcp</em> and <em>wpa_supplicant</em>. You do NOT need your own version fighting with it. So... </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>stop<span class="w"> </span>dhcpcd localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>del<span class="w"> </span>dhcpcd localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>stop<span class="w"> </span>wpa_supplicant localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>del<span class="w"> </span>wpa_supplicant </pre></div> <h3>Congratulations!</h3> <p>If you have persevered with the process this far, congratulations! You should have a desktop machine that you have compiled from source. Obviously, I have cleverly hidden all the frustrating debug work that went into steps going wrong. Along with this, there are issues with drivers or kernel features required by some software component not being turned <strong>ON</strong>. However, that is what the incredible gentoo <a href="https://forums.gentoo.org/">forums</a> and <a href="https://wiki.gentoo.org/wiki/Main_Page">wiki</a> are for. Happy compiling and debugging.</p>gentooinstalllinuxsecurityhttp://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/a-gentoo-installation-story-continued/Sun, 19 Jan 2025 20:14:21 GMTAn encrypted-boot gentoo installation storyhttp://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story/Dejice Jacob<h3>How I got to gentoo</h3> <p>Like many people, I have gone through a few linux distros in my lifetime. Over the span of two decades, I ended up going through OpenSuse → Ubuntu → Debian (Stable) → Debian (Testing) → Gentoo. I keep an eye on distributions quite often, but the motivation for moving distributions crosses a threshold when a major workflow or technology disruption occurs within the distribution. It also correlates with my (<em>Slowly</em>) increasing knowledge and comfort with delving into how systems are put together. </p> <p><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/3/32/Gentoo_Penguin_Baby_%2824940372635%29.jpg/209px-Gentoo_Penguin_Baby_%2824940372635%29.jpg" title="A Southern Gentoo Penguin" alt="Southern Gentoo Penguin" align="right"> </p> <p>I moved from Ubuntu → Debian (Stable) when Ubuntu decided to develop <a href="https://fridge.ubuntu.com/2013/03/04/mir-an-outpost-envisioned-as-a-new-home">Mir</a> rather than developing for Wayland. I am always enthusiastic about new software being developed, if only to see what could have been. The vision of convergence between devices was a cool one and given the right circumstances, may have succeeded. However, any large scale surgery of this sort which veers off and does its own thing risks failure. </p> <p>Another thing that philosophically did not sit right with me was the usage of <a href="https://snapcraft.io/blog/a-technical-comparison-between-snaps-and-debs"><em>snap</em> packages</a>. To me this felt like a way to reduce the pressure of maintenance in the short-term at the expense of long-term fragmentation. Desktop <em>*nix</em> distributions are not <strong>yet</strong> (it is now decade no.3 of trying to conquer the desktop) popular enough. I wish it was different (<em>sigh</em>)! Like any demand-supply equation, any let-up in the pressure to maintain library/API compatibility, in my opinion, would just lead to fragmentation and end-user frustration in the long-run.</p> <p>So I decided to do the Ubuntu → Debian (Stable) switch. As I was using a slightly older laptop, and it had all the drivers and packages I needed, I wonder why I did not do this earlier (<em>Doh</em>)! After two of my upgrades between major Debian revisions ended up requiring re-installations, I heard of this amazing new term called <em>rolling</em>-distributions. (Please excuse the <em>naïvete</em> and yes, I really am that naïve)! </p> <p>The next trigger to move was Debian's <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727708#6734">embrace</a> of <a href="https://systemd.io">Systemd</a>. I feel more comfortable with <a href="https://github.com/OpenRC/openrc">openRC</a> which I think keeps better to the overall *nix philosophy. I had by now done enough systems level software development and debugging to no longer be afraid of doing silly things that break stuff (<em>a little knowledge being dangerous</em> and all that). Building a new system from ground up would be something that would allow me to explore and understand the guts of my own system. </p> <h5>Enter Gentoo</h5> <p>Keeping with the theme of going further upstream and closer to the source (<em>wipe that smug <a href="https://en.wikipedia.org/wiki/Icarus">Icarus</a> image from your mind</em>), the choice was between <a href="https://www.linuxfromscratch.org/">Linux from Scratch</a>, <a href="http://www.slackware.com">Slackware</a> and <a href="https://www.gentoo.org">Gentoo</a>. In the end, I went with Gentoo due to the package manager and the sheer amount of support and documentation on the website. It should help reduce the amount of debugging and maintenance work I have to do, while still making me feel like a proper computer scientist. <em>Vanity and naïvete -- what could possibly go wrong?</em></p> <p><img src="https://wiki.gentoo.org/images/thumb/e/ee/Gblend.png/234px-Gblend.png" title="Gentoo Linux" alt="Gentoo Linux Logo" align="right"> </p> <h3>Why ?!</h3> <p>This leads us onto the purpose of this blog. Installing gentoo is relatively easy but time consuming if we go through the relatively straightforward instructions in the marvellous <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64">Gentoo AMD64 handbook</a>. However, I wanted to do a fully encrypted <code>/boot</code> drive as well and had to search around for various instructions. This is the command log (My Gentoo installation story) for my own personal notes. Someone else finding it useful is just a bonus. For more comprehensive information and various options, Each link in the subsections below are linked to the much more comprehensive information in the gentoo <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64">wiki</a>. </p> <h3>Gentoo AMD64 installation with encrypted <em>/boot</em></h3> <h5>Obtaining and preparing the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Media">installation media</a></h5> <p>Very detailed instructions are already provided in the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Media">handbook</a> and I don't have anything new to add. Switch off secure-boot in the BIOS and choose to boot from the USB drive that was just prepared. Once the laptop has been booted into the linux kernel and shows a root prompt, we will need to set up <a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story/#configuring-the-network">networking</a>. </p> <h5>Partitioning the storage <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Disks">disks</a></h5> <p>I have a 16 GiB Laptop with 1TB of space on the SSD. I wanted to partition it with the following schema:</p> <div class="code"><pre class="code literal-block">NAME<span class="w"> </span>MAJ:MIN<span class="w"> </span>RM<span class="w"> </span>SIZE<span class="w"> </span>RO<span class="w"> </span>TYPE<span class="w"> </span>MOUNTPOINTS nvme0n1<span class="w"> </span><span class="m">259</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">953</span>.9G<span class="w"> </span><span class="m">0</span><span class="w"> </span>disk ├─nvme0n1p1<span class="w"> </span><span class="m">259</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span>2M<span class="w"> </span><span class="m">0</span><span class="w"> </span>part ├─nvme0n1p2<span class="w"> </span><span class="m">259</span>:4<span class="w"> </span><span class="m">0</span><span class="w"> </span>512M<span class="w"> </span><span class="m">0</span><span class="w"> </span>part │<span class="w"> </span>└─luks_boot<span class="w"> </span><span class="m">253</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span>496M<span class="w"> </span><span class="m">0</span><span class="w"> </span>crypt ├─nvme0n1p3<span class="w"> </span><span class="m">259</span>:6<span class="w"> </span><span class="m">0</span><span class="w"> </span>128M<span class="w"> </span><span class="m">0</span><span class="w"> </span>part └─nvme0n1p4<span class="w"> </span><span class="m">259</span>:8<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">953</span>.2G<span class="w"> </span><span class="m">0</span><span class="w"> </span>part <span class="w"> </span>└─luks_root<span class="w"> </span><span class="m">253</span>:1<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">953</span>.2G<span class="w"> </span><span class="m">0</span><span class="w"> </span>crypt <span class="w"> </span>├─osvg-swap<span class="w"> </span><span class="m">253</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span>8G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span><span class="o">[</span>SWAP<span class="o">]</span> <span class="w"> </span>├─osvg-gentoo--root<span class="w"> </span><span class="m">253</span>:3<span class="w"> </span><span class="m">0</span><span class="w"> </span>64G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span>/ <span class="w"> </span>├─osvg-gentoo--home<span class="w"> </span><span class="m">253</span>:4<span class="w"> </span><span class="m">0</span><span class="w"> </span>16G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span>/home <span class="w"> </span>└─osvg-data<span class="w"> </span><span class="m">253</span>:5<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">865</span>.2G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span>/media/data </pre></div> <p>Zap all pre-existing partitions on the disk. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--zap-all<span class="w"> </span>/dev/nvme0n1 </pre></div> <p>Ensure the first <em>1MiB</em> is left for grub to be written into raw device head. So we create a <em>1MiB</em> partition with <em>offset=1MiB</em>.</p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--new<span class="o">=</span><span class="m">1</span>:1M:+2M<span class="w"> </span>/dev/nvme0n1 livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--new<span class="o">=</span><span class="m">2</span>:0:+512M<span class="w"> </span>/dev/nvme0n1 livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--new<span class="o">=</span><span class="m">3</span>:0:+128M<span class="w"> </span>/dev/nvme0n1<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--new<span class="o">=</span><span class="m">4</span>:0:0<span class="w"> </span>/dev/nvme0n1 </pre></div> <p>Change the names of the partitions and their filesystem types in the GPT partition table. A list of partition types can be obtained with <code>sgdisk -L</code>. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--typecode<span class="o">=</span><span class="m">1</span>:ef02<span class="w"> </span>--typecode<span class="o">=</span><span class="m">2</span>:8300<span class="w"> </span>--typecode<span class="o">=</span><span class="m">3</span>:ef00<span class="w"> </span>--typecode<span class="o">=</span><span class="m">4</span>:8300<span class="w"> </span>/dev/nvme0n1 livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--change-name<span class="o">=</span><span class="m">1</span>:GRUB<span class="w"> </span>--change-name<span class="o">=</span><span class="m">2</span>:/boot<span class="w"> </span>--change-name<span class="o">=</span><span class="m">3</span>:EFI-SP<span class="w"> </span>--change-name<span class="o">=</span><span class="m">4</span>:OS<span class="w"> </span>/dev/nvme0n1 </pre></div> <p>Encrypt the <code>/boot</code> partition with a password. While it is certainly more robust to have a separate Keyfile stored on another USB flash drive, it is cumbersome to carry around. Also, if you forget it or lose it, then it can be a pain. I am just going to use a plain old password for this in this case. Additionally, grub can not yet decrypt keys in the default LUKS2 format (argon2id) and requires the key to be in the LUKS1 default format of PBKDF2. So the <code>/boot</code> partition is formatted with LUKS1. I will maybe write up a detached header version in a future post.</p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>luksFormat<span class="w"> </span>--key-size<span class="o">=</span><span class="m">512</span><span class="w"> </span>--type<span class="o">=</span>luks1<span class="w"> </span>/dev/nvme0n1p2 </pre></div> <p>Format the <code>/boot</code> and <code>efi-sp</code> partitions </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>open<span class="w"> </span>/dev/nvme0n1p2<span class="w"> </span>/dev/mapper/luks_boot livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.ext4<span class="w"> </span>-L<span class="w"> </span>boot<span class="w"> </span>/dev/mapper/luks_boot livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.vfat<span class="w"> </span>-n<span class="w"> </span>EFI-SP<span class="w"> </span>-F<span class="w"> </span><span class="m">16</span><span class="w"> </span>/dev/nvme0n1p3<span class="w"> </span> </pre></div> <p>To obtain an encrypted <em><code>/root, /home and swap</code></em> partition, I decided to use Logical Volume Management (<a href="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_and_managing_logical_volumes/overview-of-logical-volume-management_configuring-and-managing-logical-volumes#lvm-architecture_overview-of-logical-volume-management">LVM</a>) on a LUKS encrypted partition. With experience, I can say that if you intend on using the KDE desktop, the machine should ideally have 32GB of RAM. Some packages such as firefox, the qtwebkit renderer etc require greater than 16GB of RAM. This would then influence the amount of swap space that you should keep aside. Since I have 32GiB of RAM, and I do not want suspend, only 8GiB of swap space is allocated. The beauty of LVM is that this can be resized in the future if required. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>luksFormat<span class="w"> </span>--key-size<span class="o">=</span><span class="m">512</span><span class="w"> </span>--key-slot<span class="o">=</span><span class="m">1</span><span class="w"> </span>/dev/nvme0n1p4<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>open<span class="w"> </span>/dev/nvme0n1p4<span class="w"> </span>luks_root<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span>pvcreate<span class="w"> </span>/dev/mapper/luks_root<span class="w"> </span><span class="c1"># Create a Physical volume on the decrypted device</span> livecd<span class="w"> </span>~#<span class="w"> </span>vgcreate<span class="w"> </span>osvg<span class="w"> </span>/dev/mapper/luks_root<span class="w"> </span><span class="c1"># Create a volume group on the Physical volume</span> livecd<span class="w"> </span>~#<span class="w"> </span>lvcreate<span class="w"> </span>-L<span class="w"> </span>8G<span class="w"> </span>-n<span class="w"> </span>swap<span class="w"> </span>osvg<span class="w"> </span><span class="c1"># Create swap space on the encrypted LVM </span> livecd<span class="w"> </span>~#<span class="w"> </span>lvcreate<span class="w"> </span>-L<span class="w"> </span>64G<span class="w"> </span>-n<span class="w"> </span>gentoo-root<span class="w"> </span>osvg<span class="w"> </span><span class="c1"># Create /root on the encrypted LVM </span> livecd<span class="w"> </span>~#<span class="w"> </span>lvcreate<span class="w"> </span>-L<span class="w"> </span>16G<span class="w"> </span>-n<span class="w"> </span>gentoo-home<span class="w"> </span>osvg<span class="w"> </span><span class="c1"># Create /home on the encrypted LVM </span> livecd<span class="w"> </span>~#<span class="w"> </span>lvcreate<span class="w"> </span>-l<span class="w"> </span><span class="m">100</span>%FREE<span class="w"> </span>-n<span class="w"> </span>data<span class="w"> </span>osvg<span class="w"> </span><span class="c1"># Create a separate data partition</span> </pre></div> <p>Format the partitions created in the LVM.</p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>mkswap<span class="w"> </span>-L<span class="w"> </span>swap<span class="w"> </span>/dev/mapper/osvg-swap<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.ext4<span class="w"> </span>-L<span class="w"> </span>root<span class="w"> </span>/dev/mapper/osvg-gentoo--root livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.ext4<span class="w"> </span>-L<span class="w"> </span>home<span class="w"> </span>/dev/mapper/osvg-gentoo--home livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.ext4<span class="w"> </span>-L<span class="w"> </span>data<span class="w"> </span>/dev/mapper/osvg-data </pre></div> <p>Now mount the encrypted drives to various directories</p> <div class="code"><pre class="code literal-block">mkdir<span class="w"> </span>-p<span class="w"> </span>/mnt/gentoo/<span class="o">{</span>root,home,data<span class="o">}</span> mount<span class="w"> </span>/dev/mapper/osvg-gentoo--root<span class="w"> </span>/mnt/gentoo/root mount<span class="w"> </span>/dev/mapper/osvg-gentoo--home<span class="w"> </span>/mnt/gentoo/home mount<span class="w"> </span>/dev/mapper/osvg-data<span class="w"> </span>/mnt/gentoo/data </pre></div> <h5>Configuring the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Networking">network</a></h5> <p>I already have an ethernet cable to connect, so I did not require to set up WiFi. Gentoo already has the <code>net-setup</code> utility to help with setting up WiFi. The network interface names can be obtained using the <code>ip link</code> command. Set-up is through a fairly easy menu driven <code>ncurses</code> style interactive interface. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>net-setup<span class="w"> </span> </pre></div> <ol> <li>For ethernet, configure the wired ethernet interface (starts with <em>enp</em>...) </li> <li>In the case of WiFi, choose wireless WiFi interface (starts with <em>wlp</em>...) </li> </ol> <p>Make sure the time of the system is accurate. I utilised a simple <strong>NTP</strong> client (<em>chronyd</em>) to correct the time. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>chronyd<span class="w"> </span>-q </pre></div> <h5>Obtaining the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage">Stage-3</a> Installation files</h5> <p>I like <em>openrc</em> and chose the <em>desktop-openrc</em> profile for the stage-3 tarball. Use the livecd built-in <em>ncurses</em> browser to obtain the stage-3 tarball. Alternatively download it on another PC and transfer via another USB device. </p> <h5>Setup base <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage">root filesystem</a>, configure <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage#Configuring_compile_options">portage</a> and <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base">gentoo base</a></h5> <p>Assuming the stage-3 tarball is in <code>/mnt/gentoo/data</code> untar it to the target storage-device's <code>/root</code> directory. In our case, we have mounted it to <code>/mnt/gentoo/root</code>. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>/mnt/gentoo/data livecd<span class="w"> </span>~#<span class="w"> </span>tar<span class="w"> </span>-Jxpvf<span class="w"> </span>stage3_tarball.tar.xz<span class="w"> </span>--xattrs-include<span class="o">=</span><span class="s1">'*.*'</span><span class="w"> </span>--numeric-owner<span class="w"> </span>-C<span class="w"> </span>/mnt/gentoo/root<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>/mnt/gentoo/root livecd<span class="w"> </span>~#<span class="w"> </span>cp<span class="w"> </span>--dereference<span class="w"> </span>/etc/resolv.conf<span class="w"> </span>/mnt/gentoo/root/etc/resolv.conf<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">MAKEOPTS</span><span class="o">=</span><span class="se">\"</span>-j<span class="k">$(</span>nproc<span class="k">)</span><span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">ACCEPT_KEYWORDS</span><span class="o">=</span><span class="se">\"</span>amd64<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">USE</span><span class="o">=</span><span class="se">\"</span>udev<span class="w"> </span>lvm<span class="w"> </span>dbus<span class="w"> </span>X<span class="w"> </span>pulseaudio<span class="w"> </span>networkmanager<span class="w"> </span>clang<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Add the CPU flags for your host to <code>/mnt/gentoo/root/etc/portage/make.conf</code>. Make sure you replace the newly added line to the format <code>CPU_FLAGS_X86="aes ....."</code>. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="k">$(</span>cpuid2cpuflags<span class="k">)</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Now add the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#VIDEO_CARDS">video-cards</a> depending on your machine. On this machine, I had an AMD video card. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">VIDEO_CARDS</span><span class="o">=</span><span class="se">\"</span>amdgpu<span class="w"> </span>radeonsi<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Add some miscellaneous devices as well. <code>libinput</code> provides input handling for display servers. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">INPUT_DEVICES</span><span class="o">=</span><span class="se">\"</span>libinput<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">SANEBACKENDS</span><span class="o">=</span><span class="se">\"</span>hp<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Within the portage configuration file <code>/mnt/gentoo/root/etc/portage/make.conf</code> update the value of the variable <code>COMMON_FLAGS</code> to <code>COMMON_FLAGS="-march=native -O2 -pipe"</code> Also select from the worldwide mirrors to download software from. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>mirrorselect<span class="w"> </span>-i<span class="w"> </span>-o<span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Mount the system files required to prepare the target computer's <code>chroot</code> environment. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--types<span class="w"> </span>proc<span class="w"> </span>/proc<span class="w"> </span>/mnt/gentoo/root/proc livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--rbind<span class="w"> </span>/sys<span class="w"> </span>/mnt/gentoo/root/sys livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--make-rslave<span class="w"> </span>/mnt/gentoo/root/sys livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--rbind<span class="w"> </span>/dev<span class="w"> </span>/mnt/gentoo/root/dev livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--make-rslave<span class="w"> </span>/mnt/gentoo/root/dev livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--bind<span class="w"> </span>/run<span class="w"> </span>/mnt/gentoo/root/run livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--make-slave<span class="w"> </span>/mnt/gentoo/root/run </pre></div> <p>Enter the <code>chroot</code> environment. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/mnt/gentoo/home<span class="w"> </span>/mnt/gentoo/data livecd<span class="w"> </span>~#<span class="w"> </span>chroot<span class="w"> </span>/mnt/gentoo/root<span class="w"> </span>/bin/bash livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">source</span><span class="w"> </span>/etc/profile livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">export</span><span class="w"> </span><span class="nv">PS1</span><span class="o">=</span><span class="s2">"(chroot) </span><span class="si">${</span><span class="nv">PS1</span><span class="si">}</span><span class="s2">"</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">export</span><span class="w"> </span><span class="nv">PS1</span><span class="o">=</span><span class="s2">"(chroot) </span><span class="si">${</span><span class="nv">PS1</span><span class="si">}</span><span class="s2">"</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/home<span class="w"> </span>/media/data <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>/dev/mapper/osvg-gentoo--home<span class="w"> </span>/home <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>/dev/mapper/osvg-data<span class="w"> </span>/media/data <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>swapon<span class="w"> </span>/dev/mapper/osvg-swap </pre></div> <p>Prepare the EFI System Partition. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>/dev/mapper/luks_boot<span class="w"> </span>/boot <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/boot/efi<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>/dev/nvme0n1p3<span class="w"> </span>/boot/efi </pre></div> <p>Synchronise <code>emerge</code>'s software package list with upstream mirrors</p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>emerge-webrsync </pre></div> <p>Setup Locale Details</p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Europe/London"</span><span class="w"> </span>&gt;<span class="w"> </span>/etc/timezone <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"C.UTF8 UTF-8"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/locale.gen <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"en_GB ISO-8859-1"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/locale.gen <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"en_GB.UTF-8 UTF-8"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/locale.gen <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>locale-gen <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>env-update </pre></div> <h5>Configuring the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel">Linux Kernel</a></h5> <p>Obtain all kernel related gentoo packages. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/etc/portage/package.license<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"sys-kernel/linux-firmware linux-fw-redistributable"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/portage/package.license/kernel <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--quiet-build<span class="w"> </span>sys-kernel/linux-firmware<span class="w"> </span>sys-fs/cryptsetup<span class="w"> </span>sys-kernel/gentoo-sources<span class="w"> </span>sys-kernel/genkernel<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>eselect<span class="w"> </span>kernel<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="c1"># this should link /usr/src/linux to current kernel source</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"sys-boot/grub:2 device-mapper"</span><span class="w"> </span>&gt;<span class="w"> </span>/etc/portage/package.use/grub2 <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--quiet-build<span class="w"> </span>sys-boot/grub<span class="w"> </span>sys-fs/genfstab <span class="c1">## Ensure all the relvant drives (including swap are already mounted / turned on</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>genfstab<span class="w"> </span>-Up<span class="w"> </span>/<span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/fstab<span class="w"> </span> <span class="c1">## add noauto to the /boot and /boot/efi mount-points in /etc/fstab</span> </pre></div> <p>Generate a LUKS key and add the generated key to the block device holding the encrypted partition. In my case, this was <code>luks_boot (/dev/nvme0n1p2)</code> and optionally<code>luks_root (/dev/nvme0n1p4)</code>. This will be the key that is used by the kernel-<em>initramfs</em> to decrypt and mount the encrypted LVM volume and (optionally) the <code>/boot</code> partition. There is a good argument to not automatically decrypt the <code>/boot</code> partition. This is why I have decided it is optional. <strong>Remember</strong>: We are adding this newly generated key to <em>Key-slot:0</em> of <code>luks_root</code> -- this is why we carefully added the original-key during disk-partitioning in <em>Key-slot:1</em>. Using <em>Key-slot:0</em> will make it faster during actual booting and each key is tried in sequence. <a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story/#partitioning-the-storage-disks">link</a>. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/etc/luks/mnt/key <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>dd<span class="w"> </span><span class="k">if</span><span class="o">=</span>/dev/urandom<span class="w"> </span><span class="nv">of</span><span class="o">=</span>/etc/luks/mnt/key/boot_os.keyfile<span class="w"> </span><span class="nv">bs</span><span class="o">=</span><span class="m">4096</span><span class="w"> </span><span class="nv">count</span><span class="o">=</span><span class="m">1</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>chmod<span class="w"> </span><span class="nv">u</span><span class="o">=</span>rx,go-rwx<span class="w"> </span>/etc/luks <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>chmod<span class="w"> </span><span class="nv">u</span><span class="o">=</span>r,go-rwx<span class="w"> </span>/etc/luks/mnt/key/boot_os.keyfile <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>--key-slot<span class="o">=</span><span class="m">0</span><span class="w"> </span>/dev/nvme0n1p4<span class="w"> </span>/etc/luks/mnt/key/boot_os.keyfile<span class="w"> </span><span class="c1"># luks_root</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>--key-slot<span class="o">=</span><span class="m">1</span><span class="w"> </span>/dev/nvme0n1p2<span class="w"> </span>/etc/luks/mnt/key/boot_os.keyfile<span class="w"> </span><span class="c1"># luks_boot</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"luks_boot UUID=</span><span class="k">$(</span>blkid<span class="w"> </span>-s<span class="w"> </span>UUID<span class="w"> </span>-o<span class="w"> </span>value<span class="w"> </span>/dev/nvme0n1p2<span class="k">)</span><span class="s2"> /etc/luks/mnt/key/boot_os.keyfile luks,discard"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/crypttab <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"luks_root UUID=</span><span class="k">$(</span>blkid<span class="w"> </span>-s<span class="w"> </span>UUID<span class="w"> </span>-o<span class="w"> </span>value<span class="w"> </span>/dev/nvme0n1p4<span class="k">)</span><span class="s2"> /etc/luks/mnt/key/boot_os.keyfile luks,discard"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/crypttab </pre></div> <p><strong>NOTE</strong>: The key should be generated in a directory with the following pattern <code>${INITRAMFS_OVERLAY}/mnt/key</code>. The <code>genkernel</code> tool when provided the <code>INITRAMFS_OVERLAY</code> variable will use this overlay within its filesystem. The kernel will then look for the internal key in <code>/mnt/key</code>. </p> <p>While you could spend a long time configuring the kernel, I think it is easier to use <code>genkernel</code> to generate a kernel with a lot of options. We can always slim down the kernel afterwards. We can see the list of kernels with <code>eselect kernel list</code>. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>eselect<span class="w"> </span>kernel<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="m">1</span><span class="w"> </span> </pre></div> <p>Set-up the following configurations in <code>/etc/genkernel.conf</code>. <strong>NOTE</strong>: Without the <code>INITRAMFS_OVERLAY</code>, the initramfs kernel cannot decrypt the enncrypted block device holding the LVMs for <code>/root, /home</code> etc. </p> <div class="code"><pre class="code literal-block"><span class="nv">NOCOLOR</span><span class="o">=</span><span class="s2">"false"</span> <span class="nv">LVM</span><span class="o">=</span><span class="s2">"yes"</span> <span class="nv">LUKS</span><span class="o">=</span><span class="s2">"yes"</span> <span class="nv">GK_SHARE</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">GK_SHARE</span><span class="k">:-</span><span class="p">/usr/share/genkernel</span><span class="si">}</span><span class="s2">"</span> <span class="nv">CACHE_DIR</span><span class="o">=</span><span class="s2">"/var/cache/genkernel"</span> <span class="nv">DISTDIR</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">GK_SHARE</span><span class="si">}</span><span class="s2">/distfiles"</span> <span class="nv">LOGFILE</span><span class="o">=</span><span class="s2">"/var/log/genkernel.log"</span> <span class="nv">LOGLEVEL</span><span class="o">=</span><span class="m">1</span> <span class="nv">ZFS</span><span class="o">=</span><span class="s2">"no"</span> <span class="nv">BTRFS</span><span class="o">=</span><span class="s2">"no"</span> <span class="nv">XFSPROGS</span><span class="o">=</span><span class="s2">"no"</span> <span class="nv">DEFAULT_KERNEL_SOURCE</span><span class="o">=</span><span class="s2">"/usr/src/linux"</span> <span class="nv">INITRAMFS_OVERLAY</span><span class="o">=</span><span class="s2">"/etc/luks"</span> </pre></div> <p>Now execute <code>genkernel</code> and prune as much of the kernel config that you don't need before executing. (Ensure that <code>/boot</code> and <code>/boot/efi</code> are mounted)!</p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>genkernel<span class="w"> </span>--menuconfig<span class="w"> </span>--luks<span class="w"> </span>--lvm<span class="w"> </span>--no-zfs<span class="w"> </span>all </pre></div> <h5><a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Bootloader#Default:_GRUB">Configuring the GRUB bootloader</a></h5> <p>Ensure the following settings are inserted into the <em>Grub</em> configuration file in <code>/etc/default/grub</code></p> <div class="code"><pre class="code literal-block"><span class="nv">GRUB_DISTRIBUTOR</span><span class="o">=</span><span class="s2">"Gentoo"</span> <span class="nv">GRUB_TIMEOUT</span><span class="o">=</span><span class="m">3</span> <span class="nv">GRUB_TIMEOUT_STYLE</span><span class="o">=</span>menu <span class="nv">GRUB_DISABLE_LINUX_PARTUUID</span><span class="o">=</span><span class="nb">false</span> <span class="nv">GRUB_PRELOAD_MODULES</span><span class="o">=</span><span class="s2">"part_gpt part_msdos lvm"</span> <span class="nv">GRUB_CMDLINE_LINUX_RECOVERY</span><span class="o">=</span><span class="s2">"recovery"</span> <span class="nv">GRUB_ENABLE_CRYPTODISK</span><span class="o">=</span>y </pre></div> <p>Also add the commandline for the linux kernel during boot before downloading and installing <code>grub</code></p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">GRUB_CMDLINE_LINUX</span><span class="o">=</span><span class="se">\"</span><span class="nv">keymap</span><span class="o">=</span>uk<span class="w"> </span>dolvm<span class="w"> </span><span class="nv">crypt_root</span><span class="o">=</span><span class="nv">UUID</span><span class="o">=</span><span class="k">$(</span>blkid<span class="w"> </span>-s<span class="w"> </span>UUID<span class="w"> </span>-o<span class="w"> </span>value<span class="w"> </span>/dev/nvme0n1p4<span class="k">)</span><span class="w"> </span><span class="nv">root_key</span><span class="o">=</span>boot_os.keyfile<span class="w"> </span><span class="nv">root_trim</span><span class="o">=</span>yes<span class="w"> </span><span class="nv">resume</span><span class="o">=</span>/dev/osvg/swap<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/default/grub <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--quiet-build<span class="w"> </span>sys-boot/grub <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>/boot/grub <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>grub-mkconfig<span class="w"> </span>-o<span class="w"> </span>/boot/grub/grub.cfg<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>grub-install<span class="w"> </span>--target<span class="o">=</span>x86_64-efi<span class="w"> </span>--efi-directory<span class="o">=</span>/boot/efi<span class="w"> </span>--bootloader-id<span class="o">=</span><span class="s2">"grub"</span> </pre></div> <p>This should install various bootloader stages in their respective locations. Set <code>keymap=uk</code> in the file <code>/etc/conf.d/keymaps</code>. Otherwise, a recovery shell dropping you into a different keymap can be frustrating for passwords and debugging in a shell. </p> <h5>Preparing to reboot into our newly installed bare-bones system.</h5> <p>We are now ready to shutdown and reboot into our newly installed system. Unmount all the mount points, bind-mounts and dmcrypt. First set a root password for the new system. Then unmount all our devices. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>passwd<span class="w"> </span><span class="c1">#Set new password</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/boot/efi <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/boot <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>close<span class="w"> </span>luks_boot<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>swapoff<span class="w"> </span>/dev/mapper/osvg-swap <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/media/data<span class="w"> </span>/home <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">exit</span> livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/mnt/gentoo/root/proc livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>--recursive<span class="w"> </span>/mnt/gentoo/root/dev<span class="w"> </span>/mnt/gentoo/root/sys<span class="w"> </span>/mnt/gentoo/root/run livecd<span class="w"> </span>~#<span class="w"> </span>shutdown<span class="w"> </span>-Ph<span class="w"> </span>now<span class="w"> </span> </pre></div> <p>Now reboot into the newly installed system and put in the password for grub. This should then drop you into a prompt for the root password for the new system. </p> <p>(<strong>Optional</strong>): It might be a good idea to automatically decrypt the encrypted <code>/boot</code> block device so that we can very simply just use a <code>mount /boot</code> command that was earalier set up in <code>/etc/fstab</code>. We add entries for the <em>dmcrypt</em> service to automatically decrypt <code>/boot</code> during bootup and start the dmcrypt service</p> <div class="code"><pre class="code literal-block">hostname<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"target=luks_boot"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/conf.d/dmcrypt hostname<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">source</span><span class="o">=</span><span class="nv">UUID</span><span class="o">=</span><span class="se">\"</span><span class="k">$(</span>blkid<span class="w"> </span>-s<span class="w"> </span>UUID<span class="w"> </span>-o<span class="w"> </span>value<span class="w"> </span>/dev/nvme0n1p2<span class="k">)</span><span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/conf.d/dmcrypt hostname<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"key=/etc/luks/mnt/key/boot_os.keyfile"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/conf.d/dmcrypt hostname<span class="w"> </span>~#<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>dmcrypt<span class="w"> </span>boot hostname<span class="w"> </span>~#<span class="w"> </span>rc-service<span class="w"> </span>dmcrypt<span class="w"> </span>start </pre></div> <h3>Conclusion</h3> <p>This will get gentoo booting into a shell. Modern desktop computing is however a lot more. <del>I will chronicle my system setup in a further post.</del> My <strong>gentoo</strong> desktop installation saga continues in <a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/a-gentoo-installation-story-continued">Part-II</a>. </p>gentooinstalllinuxsecurityhttp://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story/Sat, 11 Jan 2025 12:15:49 GMTOTP on the Linux command linehttp://www.dcs.gla.ac.uk/~jacobd/posts/2022/03/otp-on-the-linux-command-line/Dejice Jacob<p>Using SMS as a two-factor authentication method is quite a <a href="https://philipp-markert.com/assets/papers/way19-5-view-the-email.pdf">bad idea</a>. Bruce Schneier <a href="https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html">agrees</a> with <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">NIST</a>, saying that it should no longer have any place in a 2FA environment. The UK's National Cyber Security Centre <a href="https://www.ncsc.gov.uk/guidance/setting-2-step-verification-2sv">NCSC</a> also does not recommend this. </p> <p><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/b/b6/U2F.USB-Token.jpg/320px-U2F.USB-Token.jpg" title="MFA USB Token" alt="MFA USB Token" align="right"> </p> <p>While this was initially a novelty, it has lately started to grate on me that each application and service has their own secure key and authentication method. They each have their own physical 2FA keys. Once a user has to carry around multiple 2FA tokens around, weariness will settle in and they will compromise on security. </p> <p>To prevent this, many 2FA implementations have tried to do away with multiple 2FA devices. Most of them (for purposes other than security) have settled on the <em>least-common-denominator</em> 2FA method - insecure SMS. Forgetting about the security aspects (very well covered <a href="https://www.schneier.com/blog/archives/2017/05/criminals_are_n.html">elsewhere</a>), I am also at the mercy of being in a network coverage area. This might not be the case when travelling to a location where your network provider does not have any roaming options. </p> <p>Linux's <code>oathtool</code> is a nifty command line tool for websites that use standard HOTP/TOTP based 2FA (<a href="https://datatracker.ietf.org/doc/html/rfc6238">RFC6238</a>). When enabling 2FA from the "<em>Security Options</em>", choose to authenticate using an "<em>authenticator application</em>". This should pop up with a QR code or it might offer you the option of copying the private key (<code>pKey</code>). Most of the time the <code>pKey</code> is encoded using <a href="https://en.wikipedia.org/wiki/Base32"><em>base32</em></a>. The tool uses <em>SHA-1</em> by default, but this can be changed using the <code>--totp=hash-algorithm</code> option. However, you are at the mercy of the 2FA provider. Every time you need an OTP: </p> <div class="code"><pre class="code literal-block">$<span class="w"> </span>oathtool<span class="w"> </span>-b<span class="w"> </span>--totp<span class="w"> </span><span class="s2">"My Secret Key from some service provider"</span> <span class="m">191049</span> </pre></div> <p>Suffice it to say, please keep the <code>pKey</code> private and encrypted using <code>openssl</code> or <code>gpg</code>. As it can be executed on any Linux device, this does not have to be your phone (which I keep losing or damaging). TOTP is especially cool for people who travel to different time zones as the OTP is derived based on Unix Time. </p>2FAoauth2securityhttp://www.dcs.gla.ac.uk/~jacobd/posts/2022/03/otp-on-the-linux-command-line/Mon, 07 Mar 2022 23:33:45 GMTConfigure Mutt to work with OAuth 2.0http://www.dcs.gla.ac.uk/~jacobd/posts/2022/03/configure-mutt-to-work-with-oauth-20/Dejice Jacob<p>My email client of choice is <a href="https://gitlab.com/muttmua/mutt"><em>mutt</em></a>. The keyboard short-cuts are ingrained into muscle memory. I have tried to use complex passwords to keep myself secure. While that may help, many large web service providers require the use of <a href="https://oauth.net/2">OAuth 2.0</a> for better security. </p> <p><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/a/a1/Mutt.png/320px-Mutt.png" title="Mutt mail user agent (MUA)" alt="Mutt mail user agent (MUA)"> </p> <p>The fine <em>defenders of the galaxy</em> at <a href="https://www.gla.ac.uk/it">University of Glasgow IT</a> started pushing for better security to access email and <em>office365</em> applications. If Computer Scientists do not lead the way on these things, what hope is there for the rest of digital society? </p> <h4>Introduction</h4> <p><a href="https://www.vanormondt.net/~peter/">Peter van Ormondt</a> wrote a simplified (<em>for dummies</em>) <a href="https://www.vanormondt.net/~peter/blog/2021-03-16-mutt-office365-mfa.html">guide</a> that even I could understand. It worked first time on <em>Outlook365</em> and <em>GMail</em>. On GMail, I can now turn off "Less Secure Apps"<sup id="fnref:lesssecure"><a class="footnote-ref" href="http://www.dcs.gla.ac.uk/~jacobd/posts/2022/03/configure-mutt-to-work-with-oauth-20/#fn:lesssecure">1</a></sup> that annoyingly keeps getting switched off, if the method is not utilised regularly. </p> <p>A better understanding of how OAuth 2.0 has been implemented is explained in the OAuth 2.0 <a href="https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py.README">documentation</a> found in the mutt repo. While Mutt has native <a href="http://www.mutt.org/doc/manual/#oauth">OAuth2 support</a>, it provides a hook to an external script to provide the authentication details. Conveniently, the Mutt project themselves have provided a Python script <a href="https://gitlab.com/muttmua/mutt/-/raw/master/contrib/mutt_oauth2.py"><code>mutt_oauth2.py</code></a> to authorise the user. The script keeps local state on a file which can be used to refresh the token. The <code>mutt_oauth2.py</code> script keeps this encrypted using <code>gpg</code>. </p> <h4>Configuration</h4> <h5>Configure and Authorise with <a href="https://gitlab.com/muttmua/mutt/-/raw/master/contrib/mutt_oauth2.py"><code>mutt_oauth2.py</code></a></h5> <ol> <li> <p>Create a separate <code>gpg</code> user to encrypt all the OAuth2 tokens for all providers. You could just as well re-use one of your other GPG keys for this. </p> <div class="code"><pre class="code literal-block">$<span class="w"> </span>gpg<span class="w"> </span>--gen-key<span class="w"> </span> GnuPG<span class="w"> </span>needs<span class="w"> </span>to<span class="w"> </span>construct<span class="w"> </span>a<span class="w"> </span>user<span class="w"> </span>ID<span class="w"> </span>to<span class="w"> </span>identify<span class="w"> </span>your<span class="w"> </span>key. Real<span class="w"> </span>name:<span class="w"> </span>My<span class="w"> </span>OAuth2<span class="w"> </span>Token<span class="w"> </span>Encryption<span class="w"> </span>Key Email<span class="w"> </span>address:<span class="w"> </span>token.encryptor@oauth2.me You<span class="w"> </span>selected<span class="w"> </span>this<span class="w"> </span>USER-ID: <span class="w"> </span><span class="s2">"My OAuth2 Token Encryption Key &lt;token.encryptor@oauth2.me&gt;"</span> Change<span class="w"> </span><span class="o">(</span>N<span class="o">)</span>ame,<span class="w"> </span><span class="o">(</span>E<span class="o">)</span>mail,<span class="w"> </span>or<span class="w"> </span><span class="o">(</span>O<span class="o">)</span>kay/<span class="o">(</span>Q<span class="o">)</span>uit?<span class="w"> </span>O We<span class="w"> </span>need<span class="w"> </span>to<span class="w"> </span>generate<span class="w"> </span>a<span class="w"> </span>lot<span class="w"> </span>of<span class="w"> </span>random<span class="w"> </span>bytes.<span class="w"> </span>It<span class="w"> </span>is<span class="w"> </span>a<span class="w"> </span>good<span class="w"> </span>idea<span class="w"> </span>to<span class="w"> </span>perform some<span class="w"> </span>other<span class="w"> </span>action<span class="w"> </span><span class="o">(</span><span class="nb">type</span><span class="w"> </span>on<span class="w"> </span>the<span class="w"> </span>keyboard,<span class="w"> </span>move<span class="w"> </span>the<span class="w"> </span>mouse,<span class="w"> </span>utilize<span class="w"> </span>the disks<span class="o">)</span><span class="w"> </span>during<span class="w"> </span>the<span class="w"> </span>prime<span class="w"> </span>generation<span class="p">;</span><span class="w"> </span>this<span class="w"> </span>gives<span class="w"> </span>the<span class="w"> </span>random<span class="w"> </span>number generator<span class="w"> </span>a<span class="w"> </span>better<span class="w"> </span>chance<span class="w"> </span>to<span class="w"> </span>gain<span class="w"> </span>enough<span class="w"> </span>entropy. </pre></div> </li> <li> <p>Download and install <a href="https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py"><code>mutt_oauth2.py</code></a></p> <div class="code"><pre class="code literal-block">$<span class="w"> </span>curl<span class="w"> </span>-o<span class="w"> </span>/any-path/mutt_oauth2.py<span class="w"> </span>https://gitlab.com/muttmua/mutt/-/raw/master/contrib/mutt_oauth2.py?inline<span class="o">=</span><span class="nb">false</span> $<span class="w"> </span>chmod<span class="w"> </span>u+x<span class="w"> </span>/any-path/mutt_oauth2.py </pre></div> </li> <li> <p>Replace <code>YOUR_GPG_IDENTITY</code> with your <em>GPG</em> key in <a href="https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py#L47"><code>mutt_oauth2.py</code></a></p> </li> <li> <p>Our setup masquerades as the <strong>Mozilla Thunderbird</strong> e-mail client and utilizes their <a href="https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm"><code>client-id</code> and <code>client-secret</code></a> which is hard-coded into the client. The client secret is actually within the open-source repos of the Thunderbird client. You can also create your own credentials. See instructions for <a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2022/03/configure-mutt-to-work-with-oauth-20/#owncred">GMail</a>. The Thunderbird client registration details as of today : </p> <ul> <li><a href="https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm#l81">GMail</a>: <strong>client-id</strong> - <a href="https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm#l83"><code>406964657835-aq8lmia8j95dhl1a2bvharmfk3t1hgqj.apps.googleusercontent.com</code></a>, <strong>client-secret</strong> - <a href="https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm#l84"><code>kSmqreRr0qwBWJgbf5Y-PjSU</code></a></li> <li><a href="https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm#l127">Microsoft</a>: <strong>client-id</strong> - <a href="https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm#l129"><code>08162f7c-0fd2-4200-a84a-f25a4db0b584</code></a>, <strong>client-secret</strong> - <a href="https://hg.mozilla.org/comm-central/file/tip/mailnews/base/src/OAuth2Providers.jsm#l130"><code>TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82</code></a></li> </ul> </li> <li> <p>Intial authorisation for this client should be executed as: <code>/any-path/mutt_oauth2.py /any-path/oath2_token_file --authorize</code>. There should be a separate file for each email provider. When requested to input <em>authorisation flow</em> or <em>authentication method</em>, <code>localhostauthcode</code> will store the file in the same path. This is a one time operation and will be valid as long as the <strong>oauth2_token_file</strong> is available. You can delete the file and do the authorisation again if you so desire. Executing this script will provide a URL to paste into a browser. After opening the link in the browser and finishing any requisite authorisation, the script will obtain a token, encrypt it with your <em>GPG</em> key and store it locally in the path you have chosen.</p> </li> </ol> <h5>Configure <code>.mutt</code> config</h5> <p>Add the following entries to the <code>.mutt</code> config file for <strong>OAUTH2</strong> authentication. </p> <div class="code"><pre class="code literal-block">set<span class="w"> </span>imap_authenticators<span class="w"> </span>=<span class="w"> </span>"oauthbearer:xoauth2" set<span class="w"> </span>imap_oauth_refresh_command<span class="w"> </span>=<span class="w"> </span>"/any-path/mutt_oauth2.py<span class="w"> </span>/any-path/oath2_token_file" set<span class="w"> </span>smtp_authenticators<span class="w"> </span>=<span class="w"> </span><span class="cp">${</span><span class="n">imap_authenticators</span><span class="cp">}</span> set<span class="w"> </span>smtp_oauth_refresh_command<span class="w"> </span>=<span class="w"> </span><span class="cp">${</span><span class="n">imap_oauth_refresh_command</span><span class="cp">}</span> </pre></div> <p><code>xoauth2</code> was the experimental authentication protocol which got standardised as <code>oauthbearer</code>. However, it seems that while GMail seems to work with <code>oauthbearer</code>, Microsoft still requires <code>xoauth2</code>. </p> <h5><a name="owncred"></a> Roll your own Client credentials for GMail</h5> <ol> <li>Login to your google account, and navigate to your developer console to generate <a href="https://console.cloud.google.com/apis/credentials">OAuth 2.0 credentials</a></li> <li>Navigate to the "<em>Credentials</em>" page and click on <code>+ Create Credentials</code> to create an OAuth client ID. </li> </ol> <p>This <code>client-ID</code> and <code>client-secret</code> can then be used in the <code>mutt_oauth2.py</code> script. </p> <div class="footnote"> <hr> <ol> <li id="fn:lesssecure"> <p>I fear the long term consequences of cajoling users by using manipulative language such as this. It will cause a loss of credibility for experts in the long run. Regaining trust that is once lost crying "Wolf" will only happen after a period of difficult consequences for both expert and layperson. <a class="footnote-backref" href="http://www.dcs.gla.ac.uk/~jacobd/posts/2022/03/configure-mutt-to-work-with-oauth-20/#fnref:lesssecure" title="Jump back to footnote 1 in the text">↩</a></p> </li> </ol> </div>2FAmuttoauth2securityhttp://www.dcs.gla.ac.uk/~jacobd/posts/2022/03/configure-mutt-to-work-with-oauth-20/Fri, 04 Mar 2022 16:53:39 GMT