Full Disk Encryption: Difference between revisions

(3 intermediate revisions by 3 users not shown)

Line 1:

There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose ~~„encrypt“~~ while doing the installation.

There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose "encrypt" while doing the installation.

= LVM on LUKS =

Line 46:

== Unattended Boot via USB ==

Sometimes it is necessary to boot a system without needing an keyboard and monitor. You will create a secret key, add it to a key slot and put it onto an USB stick.

Sometimes it is necessary to boot a system without needing a keyboard and monitor. You will create a secret key, add it to a key slot and put it onto a USB stick.

Line 55:

=== Option 1: Write key onto the start of the stick ===

This will make the ~~usb-~~stick unusable for any other operations than being used for decryption. Write the key onto the stick:

This will make the USB stick unusable for any other operations than being used for decryption. Write the key onto the stick:

Line 82:

}</syntaxhighlight>

=== Option 2: Copy Key as file onto a vfat ~~usb~~ stick ===

=== Option 2: Copy Key as file onto a vfat USB stick ===

If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your <code>configuration.nix</code>:

Line 100:

boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''

mkdir -m 0755 -p /key

sleep 2 # To make sure the ~~usb~~ key has been loaded

sleep 2 # To make sure the USB key has been loaded

mount -n -t vfat -o ro `findfs UUID=${PRIMARYUSBID}` /key || mount -n -t vfat -o ro `findfs UUID=${BACKUPUSBID}` /key

'';

Line 140:

</syntaxhighlight>

== Store key on ~~TPM2~~ or ~~FIDO2~~ ==

== Store key on FIDO2 device or TPM ==

Unattended boot can also happen with ~~TPM2~~ or ~~FIDO2~~. This cannot be performed in a fully declarative way because every such security device is unique; some manual running of <code>systemd-cryptenroll</code> is required.

Unattended boot can also happen with a FIDO2 device (e.g. Yubikey) or TPM. This cannot be performed in a fully declarative way because every such security device is unique; some manual running of <code>systemd-cryptenroll</code> is required.

For FIDO2, directly read the [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/doc/manual/configuration/luks-file-systems.section.md chapter in the official manual].

Line 287:

* [[Remote disk unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]].

* [[Bcachefs]], filesystem which supports native encryption

* [https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2 Automatically unlock encrypted disks using ~~tpm2~~]

* [https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2 Automatically unlock encrypted disks using TPM2]

[[Category:Desktop]]

[[Category:Server]]

@@ Line 1: / Line 1: @@
-There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose „encrypt“ while doing the installation.
+There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose "encrypt" while doing the installation.
 = LVM on LUKS =
@@ Line 46: / Line 46: @@
 == Unattended Boot via USB ==
-Sometimes it is necessary to boot a system without needing an keyboard and monitor. You will create a secret key, add it to a key slot and put it onto an USB stick.
+Sometimes it is necessary to boot a system without needing a keyboard and monitor. You will create a secret key, add it to a key slot and put it onto a USB stick.
 <syntaxhighlight lang="bash">
@@ Line 55: / Line 55: @@
 === Option 1: Write key onto the start of the stick ===
-This will make the usb-stick unusable for any other operations than being used for decryption. Write the key onto the stick:
+This will make the USB stick unusable for any other operations than being used for decryption. Write the key onto the stick:
 <syntaxhighlight lang="bash">
@@ Line 82: / Line 82: @@
 }</syntaxhighlight>
-=== Option 2: Copy Key as file onto a vfat usb stick ===
+=== Option 2: Copy Key as file onto a vfat USB stick ===
 If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your <code>configuration.nix</code>:
@@ Line 100: / Line 100: @@
    boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
      mkdir -m 0755 -p /key
-     sleep 2 # To make sure the usb key has been loaded
+     sleep 2 # To make sure the USB key has been loaded
      mount -n -t vfat -o ro `findfs UUID=${PRIMARYUSBID}` /key || mount -n -t vfat -o ro `findfs UUID=${BACKUPUSBID}` /key
    '';
@@ Line 140: / Line 140: @@
 </syntaxhighlight>
-== Store key on TPM2 or FIDO2 ==
+== Store key on FIDO2 device or TPM ==
-Unattended boot can also happen with TPM2 or FIDO2. This cannot be performed in a fully declarative way because every such security device is unique; some manual running of <code>systemd-cryptenroll</code> is required.
+Unattended boot can also happen with a FIDO2 device (e.g. Yubikey) or TPM. This cannot be performed in a fully declarative way because every such security device is unique; some manual running of <code>systemd-cryptenroll</code> is required.
 For FIDO2, directly read the [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/doc/manual/configuration/luks-file-systems.section.md chapter in the official manual].
@@ Line 287: / Line 287: @@
 * [[Remote disk unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]].
 * [[Bcachefs]], filesystem which supports native encryption
-* [https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2 Automatically unlock encrypted disks using tpm2]
+* [https://discourse.nixos.org/t/full-disk-encryption-tpm2/29454/2 Automatically unlock encrypted disks using TPM2]
 [[Category:Desktop]]
 [[Category:Server]]