Full Disk Encryption: Difference between revisions
m The easiest way is to use the graphical installer and choose „encrypt“ while doing the installation. |
Add info about keyfile in initrd |
||
| Line 103: | Line 103: | ||
preLVM = false; # If this is true the decryption is attempted before the postDeviceCommands can run | preLVM = false; # If this is true the decryption is attempted before the postDeviceCommands can run | ||
}; | }; | ||
} | |||
</syntaxhighlight> | |||
= Unattended Boot via keyfile = | |||
A simpler but insecure option for unattended boots is to copy the keyfile into the initrd itself. | |||
Warning: This method is not generally recommended as anyone with physical access to your boot partition will be able to retrieve the key file and use it to decrypt your luks partition. Make sure you understand the security implications. | |||
First move the key to a safe location. | |||
<syntaxhighlight lang="bash"> | |||
mkdir /var/lib/secrets | |||
chown root:root /var/lib/secrets | |||
chmod 700 /var/lib/secrets | |||
mv -v hdd.key /var/lib/secrets/ | |||
chmod 600 /var/lib/secrets/hdd.key | |||
</syntaxhighlight> | |||
Then add the key to the initrd. | |||
<syntaxhighlight lang="nix"> | |||
let | |||
keyFile = "hdd.key"; | |||
in | |||
{ | |||
boot.initrd.luks.devices."root" = { | |||
device = "/dev/disk/by-uuid/<uuid>"; | |||
keyFile = "/${keyFile}"; | |||
}; | |||
boot.initrd.secrets = { "/${keyFile}" = /var/lib/secrets/${keyFile}; }; | |||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||