Full Disk Encryption: Difference between revisions
imported>DVcWmsbFziLBuYvvtHcy use proper highlighting syntax, remove outdated nix syntax warning, random instead urandom |
m The easiest way is to use the graphical installer and choose „encrypt“ while doing the installation. |
||
(7 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
There are a few options for full disk encryption. | There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose „encrypt“ while doing the installation. | ||
= | = Enter password on Boot (LVM on LUKS) = | ||
In this example, everything except for the <code>/boot</code> partition is encrypted. | |||
This includes the root and swap partitions. | |||
A password must be entered during boot to unlock the encrypted filesystems. | |||
The main drive (here the <code>sda</code> block device) will need two partitions: | |||
# An unencrypted <code>/boot</code> partition (EFI system partition) formatted as FAT. | |||
# A LUKS-encrypted logical volume group for everything else (swap and <code>/</code>). | |||
When unlocked and mounted, it will look like this: | |||
<syntaxhighlight lang="text"> | |||
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | |||
sda 8:0 0 233.8G 0 disk | |||
├─sda1 8:1 0 500M 0 part /boot | |||
└─sda2 8:2 0 233.3G 0 part | |||
└─root 254:0 0 233.3G 0 crypt | |||
├─vg-swap 254:1 0 8G 0 lvm [SWAP] | |||
└─vg-root 254:2 0 225.3G 0 lvm / | |||
</syntaxhighlight> | |||
The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process. | |||
To do this, add the following options (replacing <code>UUID-OF-SDA2</code> with the actual UUID of the encrypted partition <code>/dev/sda2</code>. -- You can find it using <code>lsblk -f</code> or <code>sudo blkid -s UUID /dev/sda2</code>.) | |||
<syntaxhighlight lang="nix"> | |||
boot = { | |||
loader = { | |||
efi.canTouchEfiVariables = true; | |||
grub = { | |||
enable = true; | |||
device = "nodev"; | |||
efiSupport = true; | |||
}; | |||
}; | |||
initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2"; | |||
}; | |||
</syntaxhighlight> | |||
With <code lang="nix">initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";</code>, the initrd knows it must unlock <code>/dev/sda2</code> before activating LVM and proceeding with the boot process. | |||
= Unattended Boot via USB = | = Unattended Boot via USB = | ||
Line 67: | Line 106: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
= zimbatm's laptop recommendation = | = zimbatm's laptop recommendation = | ||
Line 119: | Line 122: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# format the | # format the partition with the luks structure | ||
cryptsetup luksFormat /dev/sda4 | cryptsetup luksFormat /dev/sda4 | ||
# open the encrypted partition and map it to /dev/mapper/cryptroot | # open the encrypted partition and map it to /dev/mapper/cryptroot | ||
Line 177: | Line 180: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
= Unlocking secondary drives = | |||
Consider the following example: a secondary hard disk <code>/dev/sdb</code> is to be LUKS-encrypted and unlocked during boot, in addition to <code>/dev/sda</code>. | |||
Encrypt the drive and create the filesystem on it (LVM is used in this example): | |||
<syntaxhighlight lang="bash"> | |||
cryptsetup luksFormat --label CRYPTSTORAGE /dev/sdb | |||
cryptsetup open /dev/sdb cryptstorage | |||
pvcreate /dev/mapper/cryptstorage | |||
vgcreate vg-storage /dev/mapper/cryptstorage | |||
lvcreate -l 100%FREE -n storage vg-storage | |||
mkfs.ext4 -L STORAGE /dev/vg-storage/storage | |||
</syntaxhighlight> | |||
To unlock this device on boot in addition to the encrypted root filesystem, there are two options: | |||
=== Option 1: Unlock before boot using a password === | |||
Set the following in <code>configuration.nix</code> (replacing <code>UUID-OF-SDB</code> with the actual UUID of <code>/dev/sdb</code>): | |||
<syntaxhighlight lang="nix"> | |||
{ | |||
boot.initrd.luks.devices.cryptstorage.device = "/dev/disk/by-uuid/UUID-OF-SDB"; | |||
} | |||
</syntaxhighlight> | |||
During boot, a password prompt for the second drive will be displayed. Passwords previously entered are tried automatically to also unlock the second drive. This means that if you use the same passwords to encrypt both your main and secondary drives, you will only have to enter it once to unlock both. | |||
The decrypted drive will be unlocked and made available under <code>/dev/mapper/cryptstorage</code> for mounting. | |||
One annoyance with this approach is that reusing entered passwords only happens on the initial attempt. If you mistype the password for your main drive on the first try, you will now have to re-enter it twice, once for the main drive and again for the second drive, even if the passwords are the same. | |||
=== Option 2: Unlock after boot using crypttab and a keyfile === | |||
Alternatively, you can create a keyfile stored on your root partition to unlock the second drive just before booting completes. This can be done using the <code>/etc/crypttab</code> file (see manpage <code>crypttab(5)</code>). | |||
First, create a keyfile for your secondary drive, store it safely and add it as a LUKS key: | |||
<syntaxhighlight lang="bash"> | |||
dd bs=512 count=4 if=/dev/random of=/root/mykeyfile.key iflag=fullblock | |||
chmod 400 /root/mykeyfile.key | |||
cryptsetup luksAddKey /dev/sdb /root/mykeyfile.key | |||
</syntaxhighlight> | |||
Next, create <code>/etc/crypttab</code> in <code>configuration.nix</code> using the following option (replacing <code>UUID-OF-SDB</code> with the actual UUID of <code>/dev/sdb</code>): | |||
<syntaxhighlight lang="nix"> | |||
{ | |||
environment.etc.crypttab.text = '' | |||
cryptstorage UUID=UUID-OF-SDB /root/mykeyfile.key | |||
'' | |||
} | |||
</syntaxhighlight> | |||
With this approach, the secondary drive is unlocked just before the boot process completes, without the need to enter its password. | |||
Again, the secondary drive will be unlocked and made available under <code>/dev/mapper/cryptstorage</code> for mounting. | |||
= Further reading = | = Further reading = | ||
Line 185: | Line 242: | ||
* Have a look at https://wiki.archlinux.org/index.php/Disk_encryption to see all the possible options. This wiki page is not complete. | * Have a look at https://wiki.archlinux.org/index.php/Disk_encryption to see all the possible options. This wiki page is not complete. | ||
* [https://gist.github.com/ladinu/bfebdd90a5afd45dec811296016b2a3f Installation with encrypted /boot] | * [https://gist.github.com/ladinu/bfebdd90a5afd45dec811296016b2a3f Installation with encrypted /boot] | ||
* [[Remote | * [[Remote disk unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]]. | ||
* [[Bcachefs]], filesystem which supports native encryption | |||
[[Category:Desktop]] | |||
[[Category:Server]] |