Full Disk Encryption: Difference between revisions
imported>Ryanorendorff No edit summary |
imported>J4m3s-s Add full disk encryption (with encrypted kernel / initrd) with GRUB. |
||
Line 68: | Line 68: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Option 3: Full disk encryption (encrypted /boot) with password == | |||
Partition formatting will be : one partition with LVM on LUKS, and the other in FAT. (EFI partition) | |||
The LVM partition contains both the swap and the root filesystem. | |||
This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type luks1 to cryptsetup when creating the LUKS partition. | |||
<syntaxhighlight lang="bash"> | |||
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | |||
sda 8:0 0 233.8G 0 disk | |||
├─sda1 8:1 0 500M 0 part /boot/efi | |||
└─sda2 8:2 0 233.3G 0 part | |||
└─root 254:0 0 233.3G 0 crypt | |||
├─vg-swap 254:1 0 8G 0 lvm [SWAP] | |||
└─vg-root 254:2 0 225.3G 0 lvm / | |||
</syntaxhighlight> | |||
- mount your EFI partition (here /dev/sda1) as /boot/efi. | |||
- generate your nixos config | |||
- add the following options : (replace TODO by the UUID in /dev/disk/by-uuid pointing to the partition containing the encrypted part. -- You can also do lsblk -f.) | |||
<syntaxhighlight lang="nix"> | |||
boot.loader.efi.canTouchEfiVariables = true; | |||
boot.loader.grub = { | |||
enable = true; | |||
version = 2; | |||
device = "nodev"; | |||
efiSupport = true; | |||
enableCryptodisk = true; | |||
}; | |||
boot.loader.efi.efiSysMountPoint = "/boot/efi"; | |||
boot.initrd.luks.devices = [ | |||
{ | |||
name = "root"; | |||
device = "/dev/disk/by-uuid/TODO"; | |||
preLVM = true; | |||
} | |||
]; | |||
</syntaxhighlight> | |||
= zimbatm's laptop recommendation = | = zimbatm's laptop recommendation = | ||