Full Disk Encryption: Difference between revisions
m Added a link to use tpm2 with disk encryption |
Artoria2e5 (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose „encrypt“ while doing the installation. | There are a few options for full disk encryption. The easiest way is to use the graphical installer and choose „encrypt“ while doing the installation. | ||
= | = LVM on LUKS = | ||
In this example, everything except for the <code>/boot</code> partition is encrypted. | In this example, everything except for the <code>/boot</code> partition is encrypted. | ||
| Line 22: | Line 22: | ||
└─vg-root 254:2 0 225.3G 0 lvm / | └─vg-root 254:2 0 225.3G 0 lvm / | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Enter password on Boot == | |||
The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process. | The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process. | ||
| Line 42: | Line 44: | ||
With <code lang="nix">initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";</code>, the initrd knows it must unlock <code>/dev/sda2</code> before activating LVM and proceeding with the boot process. | With <code lang="nix">initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";</code>, the initrd knows it must unlock <code>/dev/sda2</code> before activating LVM and proceeding with the boot process. | ||
= Unattended Boot via USB = | == Unattended Boot via USB == | ||
Sometimes it is necessary to boot a system without needing an keyboard and monitor. You will create a secret key, add it to a key slot and put it onto an USB stick. | Sometimes it is necessary to boot a system without needing an keyboard and monitor. You will create a secret key, add it to a key slot and put it onto an USB stick. | ||
| Line 51: | Line 53: | ||
</syntaxhighlight>You can enable fallback to password (in case the USB stick is lost or corrupted) by setting the <code>boot.initrd.luks.devices.<name>.fallbackToPassword</code> option to <code>true</code>. By default, this option is <code>false</code> so you will have to perform a manual recovery if the USB stick becomes unavailable (which you may prefer, depending on your use case). | </syntaxhighlight>You can enable fallback to password (in case the USB stick is lost or corrupted) by setting the <code>boot.initrd.luks.devices.<name>.fallbackToPassword</code> option to <code>true</code>. By default, this option is <code>false</code> so you will have to perform a manual recovery if the USB stick becomes unavailable (which you may prefer, depending on your use case). | ||
== Option 1: Write key onto the start of the stick == | === Option 1: Write key onto the start of the stick === | ||
This will make the usb-stick unusable for any other operations than being used for decryption. Write the key onto the stick: | This will make the usb-stick unusable for any other operations than being used for decryption. Write the key onto the stick: | ||
| Line 80: | Line 82: | ||
}</syntaxhighlight> | }</syntaxhighlight> | ||
== Option 2: Copy Key as file onto a vfat usb stick == | === Option 2: Copy Key as file onto a vfat usb stick === | ||
If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your <code>configuration.nix</code>: | If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your <code>configuration.nix</code>: | ||
| Line 109: | Line 111: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
= Unattended Boot via keyfile = | == Unattended Boot via keyfile == | ||
A simpler but insecure option for unattended boots is to copy the keyfile into the initrd itself. | A simpler but insecure option for unattended boots is to copy the keyfile into the initrd itself. | ||
| Line 137: | Line 139: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Store key on TPM2 or FIDO2 == | |||
Unattended boot can also happen with TPM2 or FIDO2. This cannot be performed in a fully declarative way because every such security device is unique; some manual running of {{code|systemd-cryptenroll}} is required. | |||
For FIDO2, directly read the [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/doc/manual/configuration/luks-file-systems.section.md chapter in the official manual]. | |||
For TPM, replace the crypttab and systemd-cryptsetup option <code>fido2-device=auto</code> with <code>tpm-device=auto</code> for systemd stage 1. See [https://github.com/NixOS/nixpkgs/blob/7be68f763d94cdb4c809b7980647828e3274a511/nixos/tests/systemd-initrd-luks-tpm2.nix this integration test] in the nixpkgs source code repository. | |||
Because the TPM is attached to your computer, it provides no protection against a stolen computer when used on its own (it usually allows for setting a password, but that is it). It can only protect against a stolen drive. | |||
= zimbatm's laptop recommendation = | = zimbatm's laptop recommendation = | ||