- 8
- 47 378
Walian
United Kingdom
เข้าร่วมเมื่อ 4 ส.ค. 2023
Linux and computer related tutorials.
Fully Automated Arch Linux Install (REUPLOAD)
A quick overview of my "no-touch", completely automated Arch Linux install bash script.
UEFI? ✅
Secure Boot? ✅
Unified Kernel Image? ✅
Encrypted Root? ✅
Fully non-interactive? ✅
Download the script yourself from my GitHub, if you know a better way to automate the cryptsetup section, please let me know!
github.com/walian0/bashscripts/blob/main/arch_plasma_auto.bash
My previous Arch Linux install video (if you want to know more about my setup choices): th-cam.com/video/Ov8qPrjDaj8/w-d-xo.html
I took a lot of inspiration from this bash script by swsnr:
github.com/swsnr/dotfiles/blob/6a25c4e0620068ecc6360fcbe1587eb14b622ac2/arch/bootstrap-from-iso.bash
UEFI? ✅
Secure Boot? ✅
Unified Kernel Image? ✅
Encrypted Root? ✅
Fully non-interactive? ✅
Download the script yourself from my GitHub, if you know a better way to automate the cryptsetup section, please let me know!
github.com/walian0/bashscripts/blob/main/arch_plasma_auto.bash
My previous Arch Linux install video (if you want to know more about my setup choices): th-cam.com/video/Ov8qPrjDaj8/w-d-xo.html
I took a lot of inspiration from this bash script by swsnr:
github.com/swsnr/dotfiles/blob/6a25c4e0620068ecc6360fcbe1587eb14b622ac2/arch/bootstrap-from-iso.bash
มุมมอง: 2 981
วีดีโอ
Arch Install with Secure Boot, btrfs, TPM2 unlocking, and Unified Kernel Images.
มุมมอง 14Kปีที่แล้ว
This install will result in a very clean base install using btrfs for a filesystem, mkinitcpio set up to generate UKIs, Secure Boot handled by sbctl, and your TPM handling encryption unlocking. You just need to bake in your DE of choice. Check out my blogpost and try it for yourself: www.walian.co.uk/arch-install-with-secure-boot-btrfs-tpm2-luks-encryption-unified-kernel-images.html Other usefu...
Harden your Pi-Hole: Setting up a recursive DNS server in Podman
มุมมอง 1.1Kปีที่แล้ว
Last time, we set up a Raspberry Pi to be a DNS level ad-blocker, using Ubuntu Server, Cockpit, Podman, and Pi-Hole. Now lets go one step further and create a recursive DNS server for Pi-Hole to use inside an Unbound Podman container. My blogpost about this (go here to get the settings I use): www.walian.co.uk/setting-up-pi-hole-as-a-recursive-dns-server-using-an-unbound-container.html Previous...
How to Install Ubuntu, Cockpit, Podman, and Pi-Hole on your Raspberry Pi Tutorial (EASY mode)
มุมมอง 2.8Kปีที่แล้ว
Super slick method to install Ubuntu Server, Cockpit, Podman, and Pi-Hole onto your Raspberry Pi. The next video in the series covers setting up a recursive DNS server: th-cam.com/video/msaPV6D6Yuo/w-d-xo.html I've also written this tutorial up as a blogpost: walian.co.uk/install-cockpit-and-pi-hole-on-your-raspberry-pi.html Very straight forward tutorial. I really hope you enjoy.
How to use your PGP key for SSH authentication
มุมมอง 851ปีที่แล้ว
A walk through on how to create an OpenPGP keypair with an Authentication subkey, to allow you to login to your servers over SSH. Add to your ~/.bashrc or ~/.zshrc file: unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf list-dirs agent-ssh-socket)" fi And add this to your ~/.ssh/config file: Match host * exec "gpg-connect-agent UPDATESTARTUPT...
Install Secure Boot on Arch Linux (the easy way)
มุมมอง 20Kปีที่แล้ว
Straight forward method to setup Secure Boot on Arch Linux. Hooks into pacman to automatically keep your kernel and boot loader signed. Uses sbctl and systemd-boot to protect (perhaps lol) your machine from everyone except Microsoft...
Encrypt your DNS requests using DNS-over-TLS in Linux
มุมมอง 1.7Kปีที่แล้ว
Quick, easy, and dirty way to encrypt your DNS requests in Arch Linux. This method protects the entire operating system, not just the browser. Uses systemd-resolved, and should work on any Linux install that uses systemd as the init. STEPS 1- edit /etc/systemd/resolved.conf and add DNS resolvers, and uncomment the DNSoverTLS entry, changing "no" to "yes" 2- backup, then delete your old /etc/res...
Arch Linux Install 2023 ULTRA Fast Method
มุมมอง 4.3Kปีที่แล้ว
This is my first video, so naturally, it had to be an Arch install. We don't use no stinking archinstall script on this ship. Any feedback welcome in the comments, but be gentle with me. :) Arch Linux install, using Unified Kernel Images, Discoverable Partitions, Encrypted Root, topped with a KDE Plasma desktop. Pretty fool proof, just follow along, if you tried it, let me know in the comments ...
Well, your audio is of a poor quality, even at 140% I can't hear you well. Another thing is that you are using a virtual machine. And anything that you do in a virtual machine is not the same as bare metal
Hi @Walian, is there a reason why you didnt specify /boot in the beginning, only EFI and the encrypted LUKS?
This video is a life saver
Very cool! Hope to try this out soon.
forgot the fstab at the first reboot
Would this work with a Win 10 dual boot?
Thank you man! <3 Everything works!
Thats useless...
#default_config="/etc/mkinitcpio.conf" default_image="/boot/initramfs-linux.img" #default_uki="/efi/EFI/Linux/arch-linux.efi" #default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp" i cant add :((
Thank you so much, it worked
Love this! Do you know if this works with Plymouth as well instead of the splash you have there?
i use MX Linux, is there a way to enable DoT without systemd?
Great video, thanks for sharing!
your blogpost brings an error Invalid SSL certificate Error code 526
yup, and i used its archive from the wayback machine for now.
This is awesome, thank you!
Such an amazing tutorial, this work so well! I only wonder how I end up not having to configure my fstab, and the Arch bootsplash without plymouth? What kind of sorcery is this? Anyway, it's perfect, thanks a lot!
Whenever I try to use systemd boot I need to manually specify root in kernel parameters, if you are having trouble booting this could be your issue.
I don't know how I'd not seen this video till now... This just demonstrated all the things I've been wanting of my arch install.
F legend! The one tutorial that works. Working on my gigabyte b360 and intel cpu.
And linux boot manager only gets me to windows 11
I just bricked my system by omitting -m. What do I do?
Disable Secure Boot in BIOS
can a cryptenrol password be added to the script for not prompting password for decrypting?
My laptop has pre-installed windows. Doing this won't effect it right?
same question here
Hi I'm getting failed to parse pem block when try to enroll keys or reset
why do you only have 300 subs
that was very helpfull. thank you!
Don't forget to enroll efi image (/efi/EFI/BOOT/BOOTX64.EFI) on your bios settings right after rebooting from signing .efi files. I dunno if this just went right over my head or what but I was stumped for an entire week wondering why secure boot wouldn't work :P
will it work if i use dual boot
Have u tried it?
Little disclaimer about security with dracut and tpm as the tpm happily tells you the key in the rescue shell
How does that work?
@@Sylveowonium I make it very short but there are articles our there I read which are super detailed (don't have them by hand anymore) Basically you drop into the dracut shell and then your machine is already trusted to the TPM you can then tell the TPM to give you the key back. It looked more intermediate than advance. I'd say everyone who ever installed arch the hard way is capable of doing that if he has the documentation for that. That doesn't mean it's useless. It's definitely much harder than booting Ubuntu do a chroot and have access to all data but in the end you can do that afterwards with on extra step. I guess 0.0001% of the people are capable of which already prevents you from some people .. In the end everything is better than nothing if unsupervised unlock is your only option go for it. TPM Harddiisk encryption imo is just for homelabs I don't see any other use case for that anyway
@@elalemanpaisa I may as well live with inputting two passwords since I already have secure boot as is installed and don't want any extra bloat to go alongside it if it's just spilling the beans to glowfriends anyhow
@@Sylveowonium spilling the beans is the same like we say in Europe with the analogy to "tea"? 🤣
@@elalemanpaisa i forgot this is a uk channel lmao i just reconfigure everything to my part of the US
im getting "/efi/EFI/Linux/arch-linux.efi does not exist" error..
did you run "cat /etc/mkinitcpio.d/linux.preset" and then read the "default_uki" line?, maybe the cat output from the video is the same for you too, but it still doesn't work ig. Then there's something special about your bootloader setup, exploring your boot or efi dirs and researching more about these files could help, but that's about all I know, sry.
Check what files need to be signed for secure boot to work: # sbctl verify
@@giulioluizvalcanaia It says failed to fine EFI partition
@@Habibaadil-fp3iq I have the same problem. Did you manage to solve it? How?
Use the other one 4:02 i encountered same error so i used /boot/vmlinuz-linux and everything worked out for me
Bruh... Thank you so much for this !!!
Thanks for making this video working with Kali Linux but I can't get windows 11 on boot menu.
Tysm ❤
after I type bootctl install it says mount point /boot which backs the random seed file is world accessible, which is a security hole and random seed file '/boot/loader/random-seed is world accessible which is a security hole
because it has wrong file permissions. If you just `sudo mount "efi part" "mount loc"` the default file permission will be set to "root" and has "0777" file and folder permission. You need to use `sudo mount -o fmask=0137,dmask=0027 "efi part" "mount loc"` so files will be set to "0640" and folders set to "0750" which will be sufficient permissions.
@@thelazt16 thank you
Bro which command to run vmlinuz one or default uki one i am confused as one guy here said his pc died after this command , when j boot through refind i see vmlinuz there for my arch linux it means i use the vmlinuz one?
Final word on MSI motherboard. They're made it pretty difficult to actually get into Secure Boot. While I though I was actually in Secure Boot previously, when I set 'Maximum Security', I was uable to boot into Arch Linux. I rechecked available information on the net and am now booting into Arch with Secure Boot and TPM2 integration. One question though - after the Arch Linux boot splash screen, I get the following error message on the screen - [FAILED] Failed to start Virtual Cons9le Setup - which is printed three times. Does anyone know how to resolve this issue? I triple-checked the files I created while following Walian's instructions, but they are all good. It still boots into Arch Linux, so my assumption is that everything is good. I appreciate any and all responses.
I might be missing something, but doesn't adding -m option to sbctl create a vector for an evil maid attack? that is, if an attacker gains access to the hard drive, he can add a windows bootloader, boot windows, and request tpm to give him a luks unlock key?
Secure Boot wouldn't allow that
@@jayzed2000 could you please elaborate?
@@0xoRial yeah so the secure boot is in custom/setup mode so you can delete the deployed keys and replace them with your own. That way if you tried to boot Windows there you couldn't, because of the secure boot keys. You'd need to hack into the UEFI (assuming it's password protected), then re-add the Windows secure boot keys, then make the attack. Feasible theoretically but maybe not practically. Hope this helped
Thansk you! I'll use it in my packer to complete the templante install.
Walian, thanks for this guide. I got everything set up on a notebook computer, but as it doesn't have TPM, at least I was able to get Secure Boot done. I also have a midtower I built, with an MSI MEG X570 Unify motherboard. I was having some issues with Setup Mode, then thought to update the BIOS, and voila! I didn't have to create the keys or anything. sbctl indicates that Secure Boot is enabled, with the Microsoft keys, so I'm good to go. Thanks again for your guide on this.
Addendum: Apparently MSI motherboards have a slightly quirky behavior with respect to Secure Boot. While it indicates that Secure Boot is enabled and Microsoft keys are available, it's not really the case. I tried to install Win11 in a KVM as a test, but was unsuccessful. In BIOS, when I set Maximum Protection, I was met with the screen stating that Secure Boot was not set - the keys had not been signed. I've already put the encryption keys in my TPM - I'm hopeful that I can simply turn off Secure Boot, create the keys, then get back in with no issues. Mind you, this is only for MSI boards.
@@HawaiiMacAddict Were you able get back in? im currently dealing with the same thing, with an MSI MAG X670e tomahawk.
Do NOT follow this guide if you're not sure what you're doing.
Why
Ideal setup fr But I have some questions 1. Is it possible to have a separate /home partition independently from the linuxroot? Ideally encrypted as well 2. Is it possible to have the secure boot and uki kernel with the zen/lts kernel? 3. Are plymouth boot animations possible? lol
are you doing this on quemu?
Yessir
Great vid. One thing, don't endorse doing partial updates with pacman -Sy sbctl.
Could you expand on the partial updates part? Doesn't -Sy just mean "install one package"?
bro, I'm begging you, helpe to do it with two disks, I'm so depressed trying it on my own, I can't do it
Can you elaborate "on two disks" please? What are you trying to do, exactly?
Failed to start Switch Root.🤷♂️
I’m getting a file is immutable. I clear the secure boot keys and put it in setup mode. Edit: sbctl verify | sed 's/✗ /sbctl sign -s /e' This command allowed me to sign my files and fix my error.
Well explained. For Debian family systems, you may still need to comment nameservers line in /etc/network/interfaces or some yaml file in /etc/netplan
What if I were to use archinstall and set the file system to be btrfs and enable LUKS encryption during setup? Would it perform the same steps done prior to chrooting?
Good video. Big thanks! I use and like Manjaro :)
for me decrypting the disk takes long (2 minutes) any idea why? I tried a shorter password already