Full Disk Encryption: Difference between revisions

(11 intermediate revisions by 7 users not shown)

Line 1:

There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose ~~„encrypt“~~ while doing the installation.

There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose "encrypt" while doing the installation.

= ~~Enter password on Boot (~~LVM on LUKS) =

= LVM on LUKS =

In this example, everything except for the <code>/boot</code> partition is encrypted.

Line 22:

└─vg-root 254:2 0 225.3G 0 lvm /

</syntaxhighlight>

== Enter password on Boot ==

The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process.

Line 42:

Line 44:

With <code lang="nix">initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";</code>, the initrd knows it must unlock <code>/dev/sda2</code> before activating LVM and proceeding with the boot process.

= Unattended Boot via USB =

== Unattended Boot via USB ==

Sometimes it is necessary to boot a system without needing an keyboard and monitor. You will create a secret key, add it to a key slot and put it onto an USB stick.

Sometimes it is necessary to boot a system without needing a keyboard and monitor. You will create a secret key, add it to a key slot and put it onto a USB stick.

Line 51:

Line 53:

</syntaxhighlight>You can enable fallback to password (in case the USB stick is lost or corrupted) by setting the <code>boot.initrd.luks.devices.<name>.fallbackToPassword</code> option to <code>true</code>. By default, this option is <code>false</code> so you will have to perform a manual recovery if the USB stick becomes unavailable (which you may prefer, depending on your use case).

== Option 1: Write key onto the start of the stick ==

=== Option 1: Write key onto the start of the stick ===

This will make the ~~usb-~~stick unusable for any other operations than being used for decryption. Write the key onto the stick:

This will make the USB stick unusable for any other operations than being used for decryption. Write the key onto the stick:

Line 80:

Line 82:

}</syntaxhighlight>

== Option 2: Copy Key as file onto a vfat ~~usb~~ stick ==

=== Option 2: Copy Key as file onto a vfat USB stick ===

If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your <code>configuration.nix</code>:

Line 98:

Line 100:

boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''

mkdir -m 0755 -p /key

sleep 2 # To make sure the ~~usb~~ key has been loaded

sleep 2 # To make sure the USB key has been loaded

mount -n -t vfat -o ro `findfs UUID=${PRIMARYUSBID}` /key || mount -n -t vfat -o ro `findfs UUID=${BACKUPUSBID}` /key

'';

Line 109:

Line 111:

</syntaxhighlight>

= Unattended Boot via keyfile =

== Unattended Boot via keyfile ==

A simpler but insecure option for unattended boots is to copy the keyfile into the initrd itself.

~~Warning:~~ This method is not generally recommended as anyone with physical access to your boot partition will be able to retrieve the key file and use it to decrypt your luks partition. Make sure you understand the security implications.

{{warning|1=This method is not generally recommended as anyone with physical access to your boot partition will be able to retrieve the key file and use it to decrypt your luks partition. Make sure you understand the security implications.}}

First move the key to a safe location.

Line 137:

Line 139:

}

</syntaxhighlight>

== Store key on FIDO2 device or TPM ==

Unattended boot can also happen with a FIDO2 device (e.g. Yubikey) or TPM. This cannot be performed in a fully declarative way because every such security device is unique; some manual running of <code>systemd-cryptenroll</code> is required.

For FIDO2, directly read the [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/doc/manual/configuration/luks-file-systems.section.md chapter in the official manual].

=== TPM2 ===

To store a key on the TPM2 module to unlock the device unattended, check if your <code>configuration.nix</code> has a line similar to the one below (with <code>YOUR-UUID</code> replaced with your device's actual UUID):

{{file|/etc/nixos/configuration.nix|nix|3=

boot.initrd.luks.devices."luks-YOUR-UUID".device = "/dev/disk/by-uuid/YOUR-UUID";

}}

Then this is the device we want to add the crypttab option to. If your configuration does not contain this line, then you can find it through this command:

nixos-option boot.initrd.luks.devices

</syntaxhighlight>

To unlock the device using TPM2, add the following to your configuration to enable systemd stage 1 and to add the tpm2 option to crypttab.

{{file|/etc/nixos/configuration.nix|nix|3=

boot.initrd.systemd.enable = true;

boot.initrd.luks.devices."luks-YOUR-UUID" = {

device = "/dev/disk/by-uuid/YOUR-UUID";

crypttabExtraOpts = [ "tpm2-device=auto" ];

};

}}

Rebuild and reboot before running the following command:

sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0 /dev/disk/by-uuid/YOUR-UUID

</syntaxhighlight>

Now the device should unlock without prompting you for the password. After this is working, you can run the above command again and add more PCRs such as <code>--tpm2-pcrs=0+7</code> if your system uses [[Secure Boot]]. A good set of options is <code>--tpm2-pcrs=0+2+7+12</code> and you can find all of them documented at the [https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ Linux TPM PCR Registry].

Because the TPM is attached to your computer, it provides no protection against a stolen computer when used on its own (it usually allows for setting a password, but that is it). It can only protect against a stolen drive.

= zimbatm's laptop recommendation =

Line 257:

Line 295:

{

environment.etc.crypttab.text = ''

cryptstorage UUID=UUID-OF-SDB /root/mykeyfile.key

''

'';

}

</syntaxhighlight>

Line 276:

Line 314:

* [[Remote disk unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]].

* [[Bcachefs]], filesystem which supports native encryption

* [https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2 Automatically unlock encrypted disks using TPM2]

[[Category:Desktop]]

[[Category:Server]]

@@ Line 1: / Line 1: @@
-There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose „encrypt“ while doing the installation.
+There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose "encrypt" while doing the installation.
-= Enter password on Boot (LVM on LUKS) =
+= LVM on LUKS =
 In this example, everything except for the <code>/boot</code> partition is encrypted.
@@ Line 22: / Line 22: @@
      └─vg-root 254:2    0 225.3G  0 lvm   /
 </syntaxhighlight>
+== Enter password on Boot ==
 The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process.
@@ Line 42: / Line 44: @@
 With <code lang="nix">initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";</code>, the initrd knows it must unlock <code>/dev/sda2</code> before activating LVM and proceeding with the boot process.
-= Unattended Boot via USB =
+== Unattended Boot via USB ==
-Sometimes it is necessary to boot a system without needing an keyboard and monitor. You will create a secret key, add it to a key slot and put it onto an USB stick.
+Sometimes it is necessary to boot a system without needing a keyboard and monitor. You will create a secret key, add it to a key slot and put it onto a USB stick.
 <syntaxhighlight lang="bash">
@@ Line 51: / Line 53: @@
 </syntaxhighlight>You can enable fallback to password (in case the USB stick is lost or corrupted) by setting the <code>boot.initrd.luks.devices.<name>.fallbackToPassword</code> option to <code>true</code>. By default, this option is <code>false</code> so you will have to perform a manual recovery if the USB stick becomes unavailable (which you may prefer, depending on your use case).
-== Option 1: Write key onto the start of the stick ==
+=== Option 1: Write key onto the start of the stick ===
-This will make the usb-stick unusable for any other operations than being used for decryption. Write the key onto the stick:
+This will make the USB stick unusable for any other operations than being used for decryption. Write the key onto the stick:
 <syntaxhighlight lang="bash">
@@ Line 80: / Line 82: @@
 }</syntaxhighlight>
-== Option 2: Copy Key as file onto a vfat usb stick ==
+=== Option 2: Copy Key as file onto a vfat USB stick ===
 If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your <code>configuration.nix</code>:
@@ Line 98: / Line 100: @@
    boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
      mkdir -m 0755 -p /key
-     sleep 2 # To make sure the usb key has been loaded
+     sleep 2 # To make sure the USB key has been loaded
      mount -n -t vfat -o ro `findfs UUID=${PRIMARYUSBID}` /key || mount -n -t vfat -o ro `findfs UUID=${BACKUPUSBID}` /key
    '';
@@ Line 109: / Line 111: @@
 </syntaxhighlight>
-= Unattended Boot via keyfile =
+== Unattended Boot via keyfile ==
 A simpler but insecure option for unattended boots is to copy the keyfile into the initrd itself.
-Warning: This method is not generally recommended as anyone with physical access to your boot partition will be able to retrieve the key file and use it to decrypt your luks partition. Make sure you understand the security implications.
+{{warning|1=This method is not generally recommended as anyone with physical access to your boot partition will be able to retrieve the key file and use it to decrypt your luks partition. Make sure you understand the security implications.}}
 First move the key to a safe location.
@@ Line 137: / Line 139: @@
 }
 </syntaxhighlight>
+== Store key on FIDO2 device or TPM ==
+Unattended boot can also happen with a FIDO2 device (e.g. Yubikey) or TPM. This cannot be performed in a fully declarative way because every such security device is unique; some manual running of <code>systemd-cryptenroll</code> is required.
+For FIDO2, directly read the [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/doc/manual/configuration/luks-file-systems.section.md chapter in the official manual].
+=== TPM2 ===
+To store a key on the TPM2 module to unlock the device unattended, check if your <code>configuration.nix</code> has a line similar to the one below (with <code>YOUR-UUID</code> replaced with your device's actual UUID):
+{{file|/etc/nixos/configuration.nix|nix|3=
+boot.initrd.luks.devices."luks-YOUR-UUID".device = "/dev/disk/by-uuid/YOUR-UUID";
+}}
+Then this is the device we want to add the crypttab option to. If your configuration does not contain this line, then you can find it through this command:
+<syntaxhighlight lang="sh">
+nixos-option boot.initrd.luks.devices
+</syntaxhighlight>
+To unlock the device using TPM2, add the following to your configuration to enable systemd stage 1 and to add the tpm2 option to crypttab.
+{{file|/etc/nixos/configuration.nix|nix|3=
+boot.initrd.systemd.enable = true;
+boot.initrd.luks.devices."luks-YOUR-UUID" = {
+  device = "/dev/disk/by-uuid/YOUR-UUID";
+  crypttabExtraOpts = [ "tpm2-device=auto" ];
+};
+}}
+Rebuild and reboot before running the following command:
+<syntaxhighlight lang="sh">
+sudo systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0 /dev/disk/by-uuid/YOUR-UUID
+</syntaxhighlight>
+Now the device should unlock without prompting you for the password. After this is working, you can run the above command again and add more PCRs such as <code>--tpm2-pcrs=0+7</code> if your system uses [[Secure Boot]]. A good set of options is <code>--tpm2-pcrs=0+2+7+12</code> and you can find all of them documented at the [https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ Linux TPM PCR Registry].
+Because the TPM is attached to your computer, it provides no protection against a stolen computer when used on its own (it usually allows for setting a password, but that is it). It can only protect against a stolen drive.
 = zimbatm's laptop recommendation =
@@ Line 257: / Line 295: @@
 <syntaxhighlight lang="nix">
 {
-   environment.etc.crypttab.text = ''
+  environment.etc.crypttab.text = ''
      cryptstorage UUID=UUID-OF-SDB /root/mykeyfile.key
-   ''
+   '';
 }
 </syntaxhighlight>
@@ Line 276: / Line 314: @@
 * [[Remote disk unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]].
 * [[Bcachefs]], filesystem which supports native encryption
+* [https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2 Automatically unlock encrypted disks using TPM2]
 [[Category:Desktop]]
 [[Category:Server]]