Full Disk Encryption: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>ShenZhouHong
m Added further reading link with a guide on FDE using detached LUKS header and separate boot partition
imported>DVcWmsbFziLBuYvvtHcy
use proper highlighting syntax, remove outdated nix syntax warning, random instead urandom
Line 8: Line 8:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
dd if=/dev/urandom of=hdd.key bs=4096 count=1
dd if=/dev/random of=hdd.key bs=4096 count=1
cryptsetup luksAddKey /dev/sda1 ./hdd.key
cryptsetup luksAddKey /dev/sda1 ./hdd.key
</syntaxhighlight>
</syntaxhighlight>
== Option 1: Write key onto the start of the stick ==
== Option 1: Write key onto the start of the stick ==


This will make the usb-stick unusable for any other operations than being used for decryption. Write they key onto the stick: <code>dd if=hdd.key of=/dev/sdb</code>.
This will make the usb-stick unusable for any other operations than being used for decryption. Write they key onto the stick:
 
<syntaxhighlight lang="bash">
dd if=hdd.key of=/dev/sdb
</syntaxhighlight>


Then add the following configuration to your <code>configuration.nix</code>:
Then add the following configuration to your <code>configuration.nix</code>:
Line 33: Line 37:
   };
   };
}</syntaxhighlight>
}</syntaxhighlight>
As of right now (2017-08-18) the NixOS options do not provide means to hide a key after the MBR as described in [https://bbs.archlinux.org/viewtopic.php?id=158507 this article in the archlinux forums]. More specificially you will need to be able to provide a keyOffset
With NixOS 20.04 the syntax has changed slightly:
<syntaxhighlight lang="nix">{
  "..."
  boot.initrd.luks.devices.luksroot = {
    device = "/dev/disk/by-id/<disk-name>-part2";
    allowDiscards = true;
    keyFileSize = 4096;
    # pinning to /dev/disk/by-id/usbkey works
    keyFile = "/dev/sdb";
  };
}</syntaxhighlight>


== Option 2: Copy Key as file onto a vfat usb stick ==
== Option 2: Copy Key as file onto a vfat usb stick ==
Line 84: Line 73:
This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type luks1 to cryptsetup when creating the LUKS partition.
This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type luks1 to cryptsetup when creating the LUKS partition.


<syntaxhighlight lang="bash">
<syntaxhighlight lang="text">
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda            8:0    0 233.8G  0 disk
sda            8:0    0 233.8G  0 disk
Line 118: Line 107:
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this:
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="text">
   8        0  500107608 sda
   8        0  500107608 sda
   8        1    266240 sda1      - the EFI partition
   8        1    266240 sda1      - the EFI partition
Line 131: Line 120:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# format the disk with the luks structure
# format the disk with the luks structure
$ cryptsetup luksFormat /dev/sda4
cryptsetup luksFormat /dev/sda4
# open the encrypted partition and map it to /dev/mapper/cryptroot
# open the encrypted partition and map it to /dev/mapper/cryptroot
$ cryptsetup luksOpen /dev/sda4 cryptroot
cryptsetup luksOpen /dev/sda4 cryptroot
# format as usual
# format as usual
$ mkfs.ext4 -L nixos /dev/mapper/cryptroot
mkfs.ext4 -L nixos /dev/mapper/cryptroot
# mount
# mount
$ mount /dev/disk/by-label/nixos /mnt
mount /dev/disk/by-label/nixos /mnt
$ mkdir /mnt/boot
mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot
mount /dev/sda1 /mnt/boot
</syntaxhighlight>
</syntaxhighlight>


Retrieved from "https://wiki.nixos.org/wiki/Full_Disk_Encryption"