Full Disk Encryption: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Ryanorendorff
No edit summary
imported>J4m3s-s
Add full disk encryption (with encrypted kernel / initrd) with GRUB.
Line 68: Line 68:
</syntaxhighlight>
</syntaxhighlight>


== Option 3: Full disk encryption (encrypted /boot) with password ==
Partition formatting will be : one partition with LVM on LUKS, and the other in FAT. (EFI partition)
The LVM partition contains both the swap and the root filesystem.
This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type luks1 to cryptsetup when creating the LUKS partition.
<syntaxhighlight lang="bash">
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda            8:0    0 233.8G  0 disk
├─sda1          8:1    0  500M  0 part  /boot/efi
└─sda2          8:2    0 233.3G  0 part
  └─root      254:0    0 233.3G  0 crypt
    ├─vg-swap 254:1    0    8G  0 lvm  [SWAP]
    └─vg-root 254:2    0 225.3G  0 lvm  /
</syntaxhighlight>
- mount your EFI partition (here /dev/sda1) as /boot/efi.
- generate your nixos config
- add the following options : (replace TODO by the UUID in /dev/disk/by-uuid pointing to the partition containing the encrypted part. -- You can also do lsblk -f.)
<syntaxhighlight lang="nix">
    boot.loader.efi.canTouchEfiVariables = true;
    boot.loader.grub = {
      enable = true;
      version = 2;
      device = "nodev";
      efiSupport = true;
      enableCryptodisk = true;
    };
    boot.loader.efi.efiSysMountPoint = "/boot/efi";
    boot.initrd.luks.devices = [
      {
        name = "root";
        device = "/dev/disk/by-uuid/TODO";
        preLVM = true;
      }
  ];
</syntaxhighlight>
= zimbatm's laptop recommendation =
= zimbatm's laptop recommendation =


Retrieved from "https://wiki.nixos.org/wiki/Full_Disk_Encryption"