Full Disk Encryption: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Thibaultmol
I think 'partition' was meant here instead of 'disk'
imported>Ulinja
correct misleading heading, remove unnecessary config options, improve clarity
Line 67: Line 67:
</syntaxhighlight>
</syntaxhighlight>


== Option 3: Full disk encryption (encrypted /boot) with password ==
== Option 3: Full disk encryption with password (LVM on LUKS) ==


Partition formatting will be : one partition with LVM on LUKS, and the other in FAT. (EFI partition)
In this example, everything except for the <code>/boot</code> partition is encrypted.
The LVM partition contains both the swap and the root filesystem.
The <code>sda</code> block device will have two partitions:
This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type luks1 to cryptsetup when creating the LUKS partition.
# Unencrypted <code>/boot</code> partition (EFI system partition) formatted as FAT.
# LUKS-encrypted logical volume group for everything else (swap and <code>/</code>).
 
When unlocked and mounted, it will look like this:


<syntaxhighlight lang="text">
<syntaxhighlight lang="text">
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda            8:0    0 233.8G  0 disk
sda            8:0    0 233.8G  0 disk
├─sda1          8:1    0  500M  0 part  /boot/efi
├─sda1          8:1    0  500M  0 part  /boot
└─sda2          8:2    0 233.3G  0 part
└─sda2          8:2    0 233.3G  0 part
   └─root      254:0    0 233.3G  0 crypt
   └─root      254:0    0 233.3G  0 crypt
Line 83: Line 86:
</syntaxhighlight>
</syntaxhighlight>


- mount your EFI partition (here /dev/sda1) as /boot/efi.
The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process.
- generate your nixos config
To do this, add the following options (replacing <code>UUID-OF-SDA2</code> with the actual UUID of the encrypted partition <code>/dev/sda2</code>. -- You can find it using <code>lsblk -f</code> or <code>sudo blkid -s UUID /dev/sda2</code>.)
- add the following options : (replace TODO by the UUID in /dev/disk/by-uuid pointing to the partition containing the encrypted part. -- You can also do lsblk -f.)
 
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
     boot.loader.efi.canTouchEfiVariables = true;
     boot = {
    boot.loader.grub = {
      loader = {
      enable = true;
        canTouchEfiVariables = true;
      version = 2;
        grub = {
      device = "nodev";
          enable = true;
      efiSupport = true;
           device = "nodev";
      enableCryptodisk = true;
           efiSupport = true;
    };
    boot.loader.efi.efiSysMountPoint = "/boot/efi";
    boot.initrd.luks.devices = {
        root = {
           device = "/dev/disk/by-uuid/TODO";
           preLVM = true;
         };
         };
      };
      initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";
     };
     };
</syntaxhighlight>
</syntaxhighlight>
During boot, the password used to unlock the encrypted device must be entered.
Once it is unlocked, the boot process continues.
= zimbatm's laptop recommendation =
= zimbatm's laptop recommendation =


Retrieved from "https://wiki.nixos.org/wiki/Full_Disk_Encryption"