Full Disk Encryption: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Ulinja
correct misleading heading, remove unnecessary config options, improve clarity
imported>Ulinja
move "LVM on LUKS" to relevant section
Line 1: Line 1:
There are a few options for full disk encryption.
There are a few options for full disk encryption.


= Basic Installation =
= Enter password on Boot (LVM on LUKS) =
 
In this example, everything except for the <code>/boot</code> partition is encrypted.
This includes the root and swap partitions.
A password must be entered during boot to unlock the encrypted filesystems.
 
The main drive (here the <code>sda</code> block device) will need two partitions:
# An unencrypted <code>/boot</code> partition (EFI system partition) formatted as FAT.
# A LUKS-encrypted logical volume group for everything else (swap and <code>/</code>).
 
When unlocked and mounted, it will look like this:
 
<syntaxhighlight lang="text">
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda            8:0    0 233.8G  0 disk
├─sda1          8:1    0  500M  0 part  /boot
└─sda2          8:2    0 233.3G 0 part
  └─root      254:0    0 233.3G  0 crypt
    ├─vg-swap 254:1    0    8G  0 lvm  [SWAP]
    └─vg-root 254:2    0 225.3G  0 lvm  /
</syntaxhighlight>
 
The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process.
To do this, add the following options (replacing <code>UUID-OF-SDA2</code> with the actual UUID of the encrypted partition <code>/dev/sda2</code>. -- You can find it using <code>lsblk -f</code> or <code>sudo blkid -s UUID /dev/sda2</code>.)
 
<syntaxhighlight lang="nix">
    boot = {
      loader = {
        canTouchEfiVariables = true;
        grub = {
          enable = true;
          device = "nodev";
          efiSupport = true;
        };
      };
      initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";
    };
</syntaxhighlight>
 
With <code lang="nix">initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";</code>, the initrd knows it must unlock <code>/dev/sda2</code> before activating LVM and proceeding with the boot process.


= Unattended Boot via USB =
= Unattended Boot via USB =
Line 66: Line 105:
}
}
</syntaxhighlight>
</syntaxhighlight>
== Option 3: Full disk encryption with password (LVM on LUKS) ==
In this example, everything except for the <code>/boot</code> partition is encrypted.
The <code>sda</code> block device will have two partitions:
# Unencrypted <code>/boot</code> partition (EFI system partition) formatted as FAT.
# LUKS-encrypted logical volume group for everything else (swap and <code>/</code>).
When unlocked and mounted, it will look like this:
<syntaxhighlight lang="text">
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda            8:0    0 233.8G  0 disk
├─sda1          8:1    0  500M  0 part  /boot
└─sda2          8:2    0 233.3G  0 part
  └─root      254:0    0 233.3G  0 crypt
    ├─vg-swap 254:1    0    8G  0 lvm  [SWAP]
    └─vg-root 254:2    0 225.3G  0 lvm  /
</syntaxhighlight>
The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process.
To do this, add the following options (replacing <code>UUID-OF-SDA2</code> with the actual UUID of the encrypted partition <code>/dev/sda2</code>. -- You can find it using <code>lsblk -f</code> or <code>sudo blkid -s UUID /dev/sda2</code>.)
<syntaxhighlight lang="nix">
    boot = {
      loader = {
        canTouchEfiVariables = true;
        grub = {
          enable = true;
          device = "nodev";
          efiSupport = true;
        };
      };
      initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";
    };
</syntaxhighlight>
During boot, the password used to unlock the encrypted device must be entered.
Once it is unlocked, the boot process continues.


= zimbatm's laptop recommendation =
= zimbatm's laptop recommendation =
Retrieved from "https://wiki.nixos.org/wiki/Full_Disk_Encryption"