Full Disk Encryption (FDE)
In most cases, disk encryption is unnecessary or even harmful. However, when it comes to a laptop, paranoia does not hurt. Having received a new laptop in my hands, it was the first time I encrypted the disk and took care of it.
At the moment, many distributions out of the box have the opportunity to create encrypted partitions. However, all the options that I came across, provide unencrypted / boot. Not a critical, but unpleasant omission. Information on how to make a fully encrypted disk is searched on the Internet quite easily, but the overwhelming part of it is in English and some of the pitfalls are still not described. I will try in the most concise, understandable and step by step to combine this information in one text.
Distribution : Slackware Linux 14.2 (but I think everything can be easily adapted to any Linux distribution)
Encryption : Luks
Markup : LVM
Loader : Grub2
We start with disk layout. So, as we plan to encrypt the entire disk, we need to create only one partition (I do not use UEFI).
')
Now format this section under Luks and connect it.
After running luksOpen, we got a block device lda, which we can already mark up using LVM.
Create a swap partition.
Then you can start installing the system on the created LVM sections. After the installation is completed, do not reboot, but exit to the terminal and continue to engage in magic.
First of all, we need to create an initrd / initramfs in the way that the kernel is not able to access the encrypted disk on its own. It should be noted here that most of the boxed distributions are designed to boot from the / boot partition without encryption and that the password to access the encrypted disk must be entered at boot time (system initialization). For us, this means that we will have to enter the password twice, which is not very convenient. This problem can be solved by creating a luks-key and placing it in the initrd.
I strongly recommend that you refer to the documentation for the utility to create the initrd / initramfs of your distribution. It can support the addition of luks-keys. In Slackware, I was faced with the fact that working with such keys is supported, but the key must be placed on an unencrypted medium (for example, on a flash drive). I had to cheat as follows:
I didn’t look for too long, but from what I’ve come across, only Grub2 supports booting from an encrypted disk.
In order for the loader to access the files on the disk, we need to add the corresponding key in / etc / default / grub:
As you can see, I have specified both GRUB_ENABLE_CRYPTODISK and GRUB_CRYPTODISK_ENABLE. This is the first underwater stone that I stumbled upon. I did not delve into the nature of this phenomenon, but according to the documentation one should use the first one, and grub-mkconfig checks the second one for “y”.
Install the bootloader.
At this point, the installation can be considered complete. As a result, we have to get a system that lives entirely on an encrypted disk and, when loading, only ask for a password once, at the start stage of Grub.
Full disk encryption with LUKS (including / boot) - Pavel Kogan
Installing Slackware on encrypted volumes - Eric Hameleers
At the moment, many distributions out of the box have the opportunity to create encrypted partitions. However, all the options that I came across, provide unencrypted / boot. Not a critical, but unpleasant omission. Information on how to make a fully encrypted disk is searched on the Internet quite easily, but the overwhelming part of it is in English and some of the pitfalls are still not described. I will try in the most concise, understandable and step by step to combine this information in one text.
What will we use
Distribution : Slackware Linux 14.2 (but I think everything can be easily adapted to any Linux distribution)
Encryption : Luks
Markup : LVM
Loader : Grub2
Partitioning and disk encryption
We start with disk layout. So, as we plan to encrypt the entire disk, we need to create only one partition (I do not use UEFI).
')
parted /dev/sda mklabel msdos parted -a optimal /dev/sda mkpart primary 0% 100% Now format this section under Luks and connect it.
cryptsetup luksFormat /dev/sda1 cryptsetup luksOpen /dev/sda1 lda After running luksOpen, we got a block device lda, which we can already mark up using LVM.
pvcreate /dev/mapper/lda vgcreate vga /dev/mapper/lda lvcreate -L4G -n swap vga lvcreate -L32G -n root vga lvcreate -l100%FREE -n home vga Create a swap partition.
mkswap /dev/vga/swap Then you can start installing the system on the created LVM sections. After the installation is completed, do not reboot, but exit to the terminal and continue to engage in magic.
Loading
First of all, we need to create an initrd / initramfs in the way that the kernel is not able to access the encrypted disk on its own. It should be noted here that most of the boxed distributions are designed to boot from the / boot partition without encryption and that the password to access the encrypted disk must be entered at boot time (system initialization). For us, this means that we will have to enter the password twice, which is not very convenient. This problem can be solved by creating a luks-key and placing it in the initrd.
dd bs=512 count=4 if=/dev/urandom of=/root/boot.key cryptsetup luksAddKey /dev/sda1 /root/boot.key I strongly recommend that you refer to the documentation for the utility to create the initrd / initramfs of your distribution. It can support the addition of luks-keys. In Slackware, I was faced with the fact that working with such keys is supported, but the key must be placed on an unencrypted medium (for example, on a flash drive). I had to cheat as follows:
# initrd mkinitrd -c -k 4.4.14 -m ext4 -f ext4 -r /dev/vga/root -C /dev/sda1 -L # install -D -m 0600 /root/boot.key /boot/initrd-tree/mountkey/boot.key # initrd mkinitrd -c -k 4.4.14 -m ext4 -f ext4 -r /dev/vga/root -C /dev/sda1 -L -K :/boot.key Grub
I didn’t look for too long, but from what I’ve come across, only Grub2 supports booting from an encrypted disk.
In order for the loader to access the files on the disk, we need to add the corresponding key in / etc / default / grub:
GRUB_ENABLE_CRYPTODISK=y GRUB_CRYPTODISK_ENABLE=y As you can see, I have specified both GRUB_ENABLE_CRYPTODISK and GRUB_CRYPTODISK_ENABLE. This is the first underwater stone that I stumbled upon. I did not delve into the nature of this phenomenon, but according to the documentation one should use the first one, and grub-mkconfig checks the second one for “y”.
Install the bootloader.
grub-mkconfig -o /boot/grub/grub.cfg grub-install /dev/sda At this point, the installation can be considered complete. As a result, we have to get a system that lives entirely on an encrypted disk and, when loading, only ask for a password once, at the start stage of Grub.
Materials on the topic and sources
Full disk encryption with LUKS (including / boot) - Pavel Kogan
Installing Slackware on encrypted volumes - Eric Hameleers
Source: https://habr.com/ru/post/306606/
All Articles