Full Disk Encryption: Difference between revisions
imported>Thibaultmol I think 'partition' was meant here instead of 'disk' |
imported>Ulinja correct misleading heading, remove unnecessary config options, improve clarity |
||
Line 67: | Line 67: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Option 3: Full disk encryption ( | == Option 3: Full disk encryption with password (LVM on LUKS) == | ||
In this example, everything except for the <code>/boot</code> partition is encrypted. | |||
The <code>sda</code> block device will have two partitions: | |||
# Unencrypted <code>/boot</code> partition (EFI system partition) formatted as FAT. | |||
# LUKS-encrypted logical volume group for everything else (swap and <code>/</code>). | |||
When unlocked and mounted, it will look like this: | |||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> | ||
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | ||
sda 8:0 0 233.8G 0 disk | sda 8:0 0 233.8G 0 disk | ||
├─sda1 8:1 0 500M 0 part /boot | ├─sda1 8:1 0 500M 0 part /boot | ||
└─sda2 8:2 0 233.3G 0 part | └─sda2 8:2 0 233.3G 0 part | ||
└─root 254:0 0 233.3G 0 crypt | └─root 254:0 0 233.3G 0 crypt | ||
Line 83: | Line 86: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process. | |||
To do this, add the following options (replacing <code>UUID-OF-SDA2</code> with the actual UUID of the encrypted partition <code>/dev/sda2</code>. -- You can find it using <code>lsblk -f</code> or <code>sudo blkid -s UUID /dev/sda2</code>.) | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
boot | boot = { | ||
loader = { | |||
canTouchEfiVariables = true; | |||
grub = { | |||
enable = true; | |||
device = "nodev"; | |||
efiSupport = true; | |||
device = " | |||
}; | }; | ||
}; | |||
initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2"; | |||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
During boot, the password used to unlock the encrypted device must be entered. | |||
Once it is unlocked, the boot process continues. | |||
= zimbatm's laptop recommendation = | = zimbatm's laptop recommendation = | ||