Full Disk Encryption: Difference between revisions
imported>Zimbatm No edit summary |
imported>Zimbatm m (fix formatting) |
||
| Line 63: | Line 63: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
= zimbatm's laptop recommendation | = zimbatm's laptop recommendation = | ||
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this: | Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this: | ||
<syntaxhighlight lang="bash"> | |||
8 0 500107608 sda | 8 0 500107608 sda | ||
8 1 266240 sda1 - the EFI partition | 8 1 266240 sda1 - the EFI partition | ||
| Line 74: | Line 74: | ||
8 4 371409920 sda4 - the NixOS root partition | 8 4 371409920 sda4 - the NixOS root partition | ||
8 5 1024000 sda5 | 8 5 1024000 sda5 | ||
</syntaxhighlight> | |||
Boot the NixOS installer and partition things according to your taste. What we are then going to do is prepare sda4 with a luks encryption layer: | Boot the NixOS installer and partition things according to your taste. What we are then going to do is prepare sda4 with a luks encryption layer: | ||
<syntaxhighlight lang="bash"> | |||
# format the disk with the luks structure | # format the disk with the luks structure | ||
$ cryptsetup luksFormat /dev/sda4 | $ cryptsetup luksFormat /dev/sda4 | ||
| Line 88: | Line 88: | ||
$ mount /dev/disk/by-label/nixos /mnt | $ mount /dev/disk/by-label/nixos /mnt | ||
$ mount /dev/sda1 /mnt/boot | $ mount /dev/sda1 /mnt/boot | ||
</syntaxhighlight> | |||
Create a swapfile of the size you want | Create a swapfile of the size you want | ||
<syntaxhighlight lang="bash"> | |||
$ fallocate -l 512M /mnt/swapfile | $ fallocate -l 512M /mnt/swapfile | ||
$ chmod 600 /mnt/swapfile | $ chmod 600 /mnt/swapfile | ||
$ mkswap -L swap /mnt/swapfile | $ mkswap -L swap /mnt/swapfile | ||
$ swapon /mnt/swapfile | $ swapon /mnt/swapfile | ||
</syntaxhighlight> | |||
Now keep installing as usual, nixos-generate-config should detect the right partitioning (maybe not the swap file). | Now keep installing as usual, nixos-generate-config should detect the right partitioning (maybe not the swap file). | ||
Revision as of 12:55, 5 January 2018
Basic installation
- Installation of NixOS with encrypted root
- Have a look at https://wiki.archlinux.org/index.php/Disk_encryption to see all the possible options. This wiki page is not complete.
Unattended Boot via USB
Sometimes it is necessary to boot a system without needing an Keyboard and Monitor. You will create a secret key, add it to a key slot and put it onto an usb stick.
dd if=/dev/urandom of=hdd.key bs=4096 count=1
cryptsetup luksAddKey /dev/sda1 ./hdd.key
Option 1: Write key onto the start of the stick
This will make the usb-stick unusable for any other operations than being used for decryption. Write they key onto the stick: dd if=hdd.key of=/dev/sdb.
Then add the following configuration to your configuration.nix:
{
"..."
boot.initrd.luks.devices = [
{
name = "luksroot";
device = "/dev/disk/by-id/<disk-name>-part2";
allowDiscards = true;
keyFileSize = 4096;
# pinning to /dev/disk/by-id/usbkey works
keyFile = "/dev/sdb";
}
];
}
As of right now (2017-08-18) the NixOS options do not provide means to hide a key after the MBR as described in this article in the archlinux forums. More specificially you will need to be able to provide a keyOffset
Option 2: Copy Key as file onto a vfat usb stick
If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your configuration.nix:
let
PRIMARYUSBID = "b501f1b9-7714-472c-988f-3c997f146a17";
BACKUPUSBID = "b501f1b9-7714-472c-988f-3c997f146a18";
in {
"..."
# Kernel modules needed for mounting USB VFAT devices in initrd stage
boot.initrd.kernelModules = ["uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"];
# Mount USB key before trying to decrypt root filesystem
boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -m 0755 -p /key
sleep 2 # To make sure the usb key has been loaded
mount -n -t vfat -o ro `findfs UUID=${PRIMARYUSBID}` /key || mount -n -t vfat -o ro `findfs UUID=${BACKUPUSBID}` /key
'';
boot.initrd.luks.devices."crypted" = {
keyFile = "/key/keyfile";
preLVM = false; # If this is true the decryption is attempted before the postDeviceCommands can run
};
}
zimbatm's laptop recommendation
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this:
8 0 500107608 sda
8 1 266240 sda1 - the EFI partition
8 2 16384 sda2
8 3 127388672 sda3
8 4 371409920 sda4 - the NixOS root partition
8 5 1024000 sda5
Boot the NixOS installer and partition things according to your taste. What we are then going to do is prepare sda4 with a luks encryption layer:
# format the disk with the luks structure
$ cryptsetup luksFormat /dev/sda4
# open the encrypted partition and map it to /dev/mapper/cryptroot
$ cryptsetup luksOpen /dev/sda4 cryptroot
# format as usual
$ mkfs.ext4 -L nixos /dev/mapper/cryptroot
# mount
$ mount /dev/disk/by-label/nixos /mnt
$ mount /dev/sda1 /mnt/boot
Create a swapfile of the size you want
$ fallocate -l 512M /mnt/swapfile
$ chmod 600 /mnt/swapfile
$ mkswap -L swap /mnt/swapfile
$ swapon /mnt/swapfile
Now keep installing as usual, nixos-generate-config should detect the right partitioning (maybe not the swap file).