Nextcloud on Arch Linux (Encrypted System) [Part 01 - Preparation]

 In this series of posts I'm going to outline the process I used to create my own Nextcloud server. 

Network Setup

First step is to prepare my network. I'm planning to host this at home. Due to obvious security concerns I don't want to host this on my home network. I used pfSense to achieve what I want. The pfSense setup is outside the scope of this post. If you do need help or is curious about setting up pfSense let me know. Given below is an overview diagram of my network, 


The basic firewall rules in this network are

  • Server can't talk to the switch. 
  • Server can't talk to the pfSense router interface
  • Server interface has Suricata IDS/IPS running. 

Drive Preparation and Encryption


Secure erase the drive. 

Note: The drive I used was an old HDD. What I didn't notice was that the partition table was of type DOS. Had to change that to GPT and repeat this process in order for it to work.

I'm going to use a 250GB HDD for my instalation (not a SSD). First step is to secure erase the drive. (ref)
  • Use `lsblk` to identify the drive 
  • Create a temporary container across the whole drive using `cryptsetup open --type plain -d /dev/random /dev/sda wipe`
  • Wipe the container with zeroes using `dd if=/dev/zero of=/dev/mapper/wipe status=progress bs=1M`. According to the dm-crypt documentation use of if=/dev/urandom is not required as the encryption cipher is used for randomness.
  • Close the temporary container using `cryptsetup close wipe`
  • Reboot and confirm that the drive is now empty and all the previous partitions are gone.

Create efi boot and LUKS encrypted root partition

Now that the partition table of the drive is empty, I first created 2 partitions for the efi boot (512MB) and root(50GB). The efi boot partitions type was set to "ef". (step by step shown in the video). The boot partition is the only partition that won't be encrypted in this system. USB and other boot options will be disabled in bios, and password protected. This will prevent bootable media attacks. 

  • Since the efi boot partition won't be encrypted it can be directly formatted by using `mkfs.fat -F32 /dev/sda1`
  • Then I created the LUKS encrypted partition inside the previously created root partition using `cryptsetup -y -v luksFormat /dev/sda2`. 
  • The newly created encrypted root needs to be opened and formatted. The paraphrase is needed for this operation. Afterwords it can be mounted.
    • Open: `cryptsetup open /dev/sda2 cryptroot`
    • Format: `mkfs.ext4 /dev/mapper/cryptroot`
    • Mount: `mount /dev/mapper/cryptroot /mnt`
  • Now I"m going to unmount and close the encrypted root and use it during the OS install.
    • Unmount: `umount /mnt`
    • Close: `cryptsetup close cryptroot`

Next Steps

  • Installing the OS
  • Setting up Dropbear so the encrypted root can be unlocked headless
  • Setting up encrypted data partitions
  • Configuring Nextcloud
Stay tuned...

Comments

Popular posts from this blog

Nextcloud and PHP8

Setting up KDiff3 to work with TortoiseGIT