Full Disk Encryption: Difference between revisions
imported>Ulinja correct misleading heading, remove unnecessary config options, improve clarity |
imported>Ulinja move "LVM on LUKS" to relevant section |
||
Line 1: | Line 1: | ||
There are a few options for full disk encryption. | There are a few options for full disk encryption. | ||
= | = Enter password on Boot (LVM on LUKS) = | ||
In this example, everything except for the <code>/boot</code> partition is encrypted. | |||
This includes the root and swap partitions. | |||
A password must be entered during boot to unlock the encrypted filesystems. | |||
The main drive (here the <code>sda</code> block device) will need two partitions: | |||
# An unencrypted <code>/boot</code> partition (EFI system partition) formatted as FAT. | |||
# A LUKS-encrypted logical volume group for everything else (swap and <code>/</code>). | |||
When unlocked and mounted, it will look like this: | |||
<syntaxhighlight lang="text"> | |||
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | |||
sda 8:0 0 233.8G 0 disk | |||
├─sda1 8:1 0 500M 0 part /boot | |||
└─sda2 8:2 0 233.3G 0 part | |||
└─root 254:0 0 233.3G 0 crypt | |||
├─vg-swap 254:1 0 8G 0 lvm [SWAP] | |||
└─vg-root 254:2 0 225.3G 0 lvm / | |||
</syntaxhighlight> | |||
The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process. | |||
To do this, add the following options (replacing <code>UUID-OF-SDA2</code> with the actual UUID of the encrypted partition <code>/dev/sda2</code>. -- You can find it using <code>lsblk -f</code> or <code>sudo blkid -s UUID /dev/sda2</code>.) | |||
<syntaxhighlight lang="nix"> | |||
boot = { | |||
loader = { | |||
canTouchEfiVariables = true; | |||
grub = { | |||
enable = true; | |||
device = "nodev"; | |||
efiSupport = true; | |||
}; | |||
}; | |||
initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2"; | |||
}; | |||
</syntaxhighlight> | |||
With <code lang="nix">initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";</code>, the initrd knows it must unlock <code>/dev/sda2</code> before activating LVM and proceeding with the boot process. | |||
= Unattended Boot via USB = | = Unattended Boot via USB = | ||
Line 66: | Line 105: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
= zimbatm's laptop recommendation = | = zimbatm's laptop recommendation = |