Full Disk Encryption: Difference between revisions
imported>Makefu initial batch of nixos-users |
imported>Fadenb m Syntax highlighting |
||
| Line 7: | Line 7: | ||
Sometimes it is necessary to boot a system without needing an Keyboard and Monitor. You will create a secret key, add it to a key slot and put it onto an usb stick. | Sometimes it is necessary to boot a system without needing an Keyboard and Monitor. You will create a secret key, add it to a key slot and put it onto an usb stick. | ||
< | <syntaxhighlight lang="bash"> | ||
cryptsetup luksAddKey /dev/sda1 ./hdd.key</ | dd if=/dev/urandom of=hdd.key bs=4096 count=1 | ||
cryptsetup luksAddKey /dev/sda1 ./hdd.key | |||
</syntaxhighlight> | |||
== Option 1: Write key onto the start of the stick == | == Option 1: Write key onto the start of the stick == | ||
| Line 15: | Line 17: | ||
Then add the following configuration to your <code>configuration.nix</code>: | Then add the following configuration to your <code>configuration.nix</code>: | ||
< | <syntaxhighlight lang="nix">{ | ||
"..." | |||
boot.initrd.luks.devices = [ | boot.initrd.luks.devices = [ | ||
{ | { | ||
name = | name = "luksroot"; | ||
device = | device = "/dev/disk/by-id/<disk-name>-part2"; | ||
allowDiscards = true; | allowDiscards = true; | ||
keyFileSize = 4096; | keyFileSize = 4096; | ||
# pinning to /dev/disk/by-id/usbkey works | # pinning to /dev/disk/by-id/usbkey works | ||
keyFile = | keyFile = "/dev/sdb"; | ||
} | } | ||
]; | ]; | ||
}</ | }</syntaxhighlight> | ||
As of right now (2017-08-18) the NixOS options do not provide means to hide a key after the MBR as described in [https://bbs.archlinux.org/viewtopic.php?id=158507 this article in the archlinux forums]. More specificially you will need to be able to provide a keyOffset | As of right now (2017-08-18) the NixOS options do not provide means to hide a key after the MBR as described in [https://bbs.archlinux.org/viewtopic.php?id=158507 this article in the archlinux forums]. More specificially you will need to be able to provide a keyOffset | ||
| Line 35: | Line 37: | ||
If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your <code>configuration.nix</code>: | If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your <code>configuration.nix</code>: | ||
< | <syntaxhighlight lang="nix"> | ||
PRIMARYUSBID = | let | ||
BACKUPUSBID = | PRIMARYUSBID = "b501f1b9-7714-472c-988f-3c997f146a17"; | ||
BACKUPUSBID = "b501f1b9-7714-472c-988f-3c997f146a18"; | |||
in { | in { | ||
"..." | |||
# Kernel modules needed for mounting USB VFAT devices in initrd stage | # Kernel modules needed for mounting USB VFAT devices in initrd stage | ||
boot.initrd.kernelModules = [ | boot.initrd.kernelModules = ["uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"]; | ||
# Mount USB key before trying to decrypt root filesystem | # Mount USB key before trying to decrypt root filesystem | ||
| Line 52: | Line 55: | ||
''; | ''; | ||
boot.initrd.luks.devices. | boot.initrd.luks.devices."crypted" = { | ||
keyFile = | keyFile = "/key/keyfile"; | ||
preLVM = false; # If this is true the decryption is attempted before the postDeviceCommands can run | preLVM = false; # If this is true the decryption is attempted before the postDeviceCommands can run | ||
}; | }; | ||
}</ | } | ||
</syntaxhighlight> | |||
== Option 3: Decryption via YubiKey == | == Option 3: Decryption via YubiKey == | ||
''TODO'', it works but needs to be described. | ''TODO'', it works but needs to be described. | ||