Questions about FDE including /boot partition with detached USB

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

I tried to install Ubuntu with full disk encryption including /boot partition with my friend. We found some articles and we merged all of them and created a guide for us. Please tell us if you see a wrong step.

We are trying to figure out some steps while installing LUKS. Let us explain.

cryptsetup -c serpent-xts-plain64 --key-size 512 --hash sha512 --header secure.hdr luksFormat /dev/disk/by-id/ata-0CZ-........

And he asked me "Header file does not exist, do you want to create it?" And i replied, yes.

cryptsetup --header disk.hdr luksOpen /dev/disk/by-id/ata-0CZ-........ hdcrypt0

and i created partitions.

I clicked to Install Ubuntu on Desktop and i followed steps. I selected my USB drive for /boot partition and clicked "Install Now".

When installation GUI is finished i selected "Continue testing" for making additional configurations.

I mounted OS.

mount /dev/mapper/vg0-root /target/
mount /dev/sdc1 /target/boot/
mount --bind /proc /target/proc
mount --bind /sys /target/sys
mount --bind /dev /target/dev

mkdir /target/etc/initramfs-tools/conf.d/cryptheader
cp secure.hdr /target/etc/initramfs-tools/conf.d/cryptheader/


cd /etc/
nano crypttab
hdcrypt0	/dev/disk/by-id/ata-0CZ-........	none		luks,discard,header=/conf/conf.d/cryptheader/secure.hdr
Saved.

Then i edited cryptroot for allowing grup compatibility. I found "# disabled for now due to security reasons" line and uncommented the lines.

nano /usr/share/initramfs-tools/hooks/cryptroot
Saved.

update-initramfs -v -k all -c

umount /target/boot
umount /target/sys
umount /target/proc
umount /target/dev
umount /target
sync
reboot


When rebooted he asked us passphrase and we entered. Then OS launched but we are confused. We are copying secure.hdr file to system's inside. If my disk is encrypted how can USB drive is seeing this file for decrypt? And secondly how can we create second USB for backup?
And lastly could you please help us to improve this guide? Because we are not real tech savy and we need your experiences and help..

Thank you in advance..
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux