After seeing a bunch of traffic in Parrot's discord about encryption issues after a fresh install, I've finally got around to tracking down a fix. The Parrot Developers are aware of the issue and have been looking into the issue but turns out there's an easy to fix issues and can be solved at the end of the installation for user's who don't want to wait until the Parrot Development team releases an updated installation ISO.
There's two ways to get an encrypted Parrot install currently:
- Use my unofficial Architect ISO (shameless self plug)
- Follow this guide to correct the installer issues with the official Parrot installer
Fixing Encrypted Installation in Parrot 6.2
The rest of this article is focused on using/fixing the official Parrot OS security installer. Boot the ISO and proceed through the Parrot OS installer making sure to check the box to encrypt the installation (should be obvious). Allow the installer to move through its process and once it arrives at the "All Done" installer stage, make sure to uncheck the "Restart Now" button before clicking the "Done" button.
Calamares will exit. Then open up a terminal and become the root user with sudo.
┌─[user@parrot]─[~] └──╼ $ sudo -i [sudo] password for user: ┌──[root@parrot]─[~] └──╼ $
WARNING: The next step is absolutely crucial! Please triple check that the proper device is located for the specific system Parrot is being installed upon! This guide used a machine that only had one hard drive and Parrot was being installed as the only operating system on this machine. Failure to pay attention here could have bigger impacts on the system!
The installer will have created and mounted the new parrot installation to a mount point in /tmp. It's important that the device name and location be determined before continuing this process. To do this, the lsblk tool can be used and the output searched for a mount point in /tmp with a label containing "calamares-root". As can be seen in the screenshot below, the test system here has the new Parrot root filesystem mounted on "/tmp/calamares-root-mb21j4pl". NOTE: The text after calamares-root- WILL be different!
Three important aspects need to be noted here.
- The name of the device that was used for the Parrot installation -> /dev/sda
- The name of the calamares mount point -> /tmp/calamares-root-mb21j4pl
- Since UEFI boot was used on this system, the ESP partition name -> /dev/sda1
- If BIOS/MBR boot was used, there won't be an ESP so don't worry
With this information, the process can continue. Make sure to make the proper changes to commands below so the commands reflect the setup of the system in use!!
There are a number of special filesystems that need to be mounted. The following for loop can be used to quickly accomplish this (make sure to change the Calamares path to reflect the proper path for the system!).
┌──[root@parrot]─[~] └──╼ $ for mount in dev dev/pts proc sys; do mount -o bind /${mount} /tmp/calamares-root-mb21j4pl/${mount}; done
If all goes well, there should be a number of bind mounts in that Calamares directory. To confirm, the mount command can be leveraged to double check that no errors occurred.
For UEFI boot ONLY: there are two other mounts that are necessary for this process to continue.
┌──[root@parrot]─[~] └──╼ $ mount -o bind /sys/firmware/efi/efivars /tmp/calamares-root-mb21j4pl/sys/firmware/efi/efivars ┌──[root@parrot]─[~] └──╼ $ mount /dev/sda1 /tmp/calamares-root-mb21j4pl/boot/efi
When all the mounts are done, an EFI system should have the following mountpoints setup (a BIOS/MBR system will not have the two bottom mountpoints obviously).
The next phase is to chroot into the Parrot installation to fix the encryption configuration. The chroot process will only produce a very small change at the terminal but effectively it will allow the process to affect the new Parrot installation rather then the live ISO environment. Looking closely in the screenshot below, the yellow boxes highlight the only change that will be noticed when the chroot command is run.
Once chroot'ed into the Parrot installation, the fixes can begin! This is a decision point as well. There is an option to have Parrot prompt for the encryption password only once at GRUB/Boot time or at GRUB/Boot time as well and during the post-GRUB init process. Which one is chosen is a personal choice. The only effect is whether one has to enter the decryption password once or twice on system startup (only pick one of the below commands).
Prompt for Passphrase Once
┌──[root@parrot]─[/] └──╼ $ sed -i 's/none/\/crypto_keyfile.bin/' /etc/crypttab
Prompt for Passphrase Twice
┌──[root@parrot]─[/] └──╼ $ sed -i 's/\(^.*discard\).*$/\1/' /etc/crypttab
Regardless of which option is chosen above or boot method, the next command needs to be run to update the system's initramfs file.
┌──[root@parrot]─[/] └──╼ $ update-initramfs -u
For UEFI boot ONLY: UEFI systems still need one more command before the system is corrected. The Calamares installer neglects to actually place boot entries into nvram on the UEFI system apparently due to efivars not being mounted during the installation process. Since efivars was already mounted before chroot'ing, there's only one command that is needed in order to finish fixing the system.
┌──[root@parrot]─[/] └──╼ $ dpkg-reconfigure -f noninteractive grub-efi-amd64
If all goes well with dpkg, there will be no reported errors. The screenshot below shows the process taken for a UEFI system in which the user only wants to type the decryption passphrase one time.
Final steps for UEFI and BIOS systems: Now that the changes have been made, the system can be sync'd and restarted.
┌──[root@parrot]─[/] └──╼ $ sync; sync; exit ┌──[root@parrot]─[~] └──╼ $ shutdown -h now
When the system has powered off, be sure to remove the Parrot installation media before turning the system back on! Upon powering the system back on, the user should be prompted for the LUKS decryption.
Success! Once the system finishes booting, Parrot can be used and is leveraging disk encryption. Hope this is helpful to others trying to get disk encryption up and running with the current Parrot 6.2 ISOs!
No comments:
Post a Comment
Have a thought or question? Please share!