Full Disk Encryption: Difference between revisions
imported>ShenZhouHong m Added further reading link with a guide on FDE using detached LUKS header and separate boot partition |
imported>DVcWmsbFziLBuYvvtHcy use proper highlighting syntax, remove outdated nix syntax warning, random instead urandom |
||
Line 8: | Line 8: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
dd if=/dev/ | dd if=/dev/random of=hdd.key bs=4096 count=1 | ||
cryptsetup luksAddKey /dev/sda1 ./hdd.key | cryptsetup luksAddKey /dev/sda1 ./hdd.key | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Option 1: Write key onto the start of the stick == | == Option 1: Write key onto the start of the stick == | ||
This will make the usb-stick unusable for any other operations than being used for decryption. Write they key onto the stick: < | This will make the usb-stick unusable for any other operations than being used for decryption. Write they key onto the stick: | ||
<syntaxhighlight lang="bash"> | |||
dd if=hdd.key of=/dev/sdb | |||
</syntaxhighlight> | |||
Then add the following configuration to your <code>configuration.nix</code>: | Then add the following configuration to your <code>configuration.nix</code>: | ||
Line 33: | Line 37: | ||
}; | }; | ||
}</syntaxhighlight> | }</syntaxhighlight> | ||
== Option 2: Copy Key as file onto a vfat usb stick == | == Option 2: Copy Key as file onto a vfat usb stick == | ||
Line 84: | Line 73: | ||
This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type luks1 to cryptsetup when creating the LUKS partition. | This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type luks1 to cryptsetup when creating the LUKS partition. | ||
<syntaxhighlight lang=" | <syntaxhighlight lang="text"> | ||
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | ||
sda 8:0 0 233.8G 0 disk | sda 8:0 0 233.8G 0 disk | ||
Line 118: | Line 107: | ||
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this: | Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this: | ||
<syntaxhighlight lang=" | <syntaxhighlight lang="text"> | ||
8 0 500107608 sda | 8 0 500107608 sda | ||
8 1 266240 sda1 - the EFI partition | 8 1 266240 sda1 - the EFI partition | ||
Line 131: | Line 120: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# format the disk with the luks structure | # format the disk with the luks structure | ||
cryptsetup luksFormat /dev/sda4 | |||
# open the encrypted partition and map it to /dev/mapper/cryptroot | # open the encrypted partition and map it to /dev/mapper/cryptroot | ||
cryptsetup luksOpen /dev/sda4 cryptroot | |||
# format as usual | # format as usual | ||
mkfs.ext4 -L nixos /dev/mapper/cryptroot | |||
# mount | # mount | ||
mount /dev/disk/by-label/nixos /mnt | |||
mkdir /mnt/boot | |||
mount /dev/sda1 /mnt/boot | |||
</syntaxhighlight> | </syntaxhighlight> | ||