Full Disk Encryption: Difference between revisions
fixing small issue in boot config, canTouchEfiVariables is under efi |
|||
| (5 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
There are a few options for full disk encryption. | There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose „encrypt“ while doing the installation. | ||
= Enter password on Boot (LVM on LUKS) = | = Enter password on Boot (LVM on LUKS) = | ||
| Line 49: | Line 49: | ||
dd if=/dev/random of=hdd.key bs=4096 count=1 | dd if=/dev/random of=hdd.key bs=4096 count=1 | ||
cryptsetup luksAddKey /dev/sda1 ./hdd.key | cryptsetup luksAddKey /dev/sda1 ./hdd.key | ||
</syntaxhighlight> | </syntaxhighlight>You can enable fallback to password (in case the USB stick is lost or corrupted) by setting the <code>boot.initrd.luks.devices.<name>.fallbackToPassword</code> option to <code>true</code>. By default, this option is <code>false</code> so you will have to perform a manual recovery if the USB stick becomes unavailable (which you may prefer, depending on your use case). | ||
== Option 1: Write key onto the start of the stick == | == Option 1: Write key onto the start of the stick == | ||
This will make the usb-stick unusable for any other operations than being used for decryption. Write | This will make the usb-stick unusable for any other operations than being used for decryption. Write the key onto the stick: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| Line 73: | Line 74: | ||
# pinning to /dev/disk/by-id/usbkey works | # pinning to /dev/disk/by-id/usbkey works | ||
keyFile = "/dev/sdb"; | keyFile = "/dev/sdb"; | ||
# optionally enable fallback to password in case USB is lost | |||
fallbackToPassword = true; | |||
}; | }; | ||
}; | }; | ||
| Line 103: | Line 106: | ||
preLVM = false; # If this is true the decryption is attempted before the postDeviceCommands can run | preLVM = false; # If this is true the decryption is attempted before the postDeviceCommands can run | ||
}; | }; | ||
} | |||
</syntaxhighlight> | |||
= Unattended Boot via keyfile = | |||
A simpler but insecure option for unattended boots is to copy the keyfile into the initrd itself. | |||
{{warning|1=This method is not generally recommended as anyone with physical access to your boot partition will be able to retrieve the key file and use it to decrypt your luks partition. Make sure you understand the security implications.}} | |||
First move the key to a safe location. | |||
<syntaxhighlight lang="bash"> | |||
mkdir /var/lib/secrets | |||
chown root:root /var/lib/secrets | |||
chmod 700 /var/lib/secrets | |||
mv -v hdd.key /var/lib/secrets/ | |||
chmod 600 /var/lib/secrets/hdd.key | |||
</syntaxhighlight> | |||
Then add the key to the initrd. | |||
<syntaxhighlight lang="nix"> | |||
let | |||
keyFile = "hdd.key"; | |||
in | |||
{ | |||
boot.initrd.luks.devices."root" = { | |||
device = "/dev/disk/by-uuid/<uuid>"; | |||
keyFile = "/${keyFile}"; | |||
}; | |||
boot.initrd.secrets = { "/${keyFile}" = /var/lib/secrets/${keyFile}; }; | |||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 244: | Line 276: | ||
* [[Remote disk unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]]. | * [[Remote disk unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]]. | ||
* [[Bcachefs]], filesystem which supports native encryption | * [[Bcachefs]], filesystem which supports native encryption | ||
[[Category:Desktop]] | |||
[[Category:Server]] | |||