Re: Help wanted to set up full disk encryption using GRUB

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I've done this many times, however mostly on Arch Linux. Please see: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice

I've also done it on Debian once. About your "GRUB_ENABLE_CRYPTODISK=y". Yes, you should definately encrypt the boot-partition and then either the home/root-partition so yes, you need GRUB to understand an encrypted boot-partition - AFAIR you need LUKS1-encryption for the boot-partition (due to a limitation in GRUB) but you can use LUKS2-for the encrypted root/home, at least that's how I remember it - don't know if things changed since last time I checked (I think LUKS2 for GRUB will be implemented in near future if it hasn't already been)...

The basic idea is (and I quote from the link): "While GRUB asks for a passphrase to unlock the LUKS1 encrypted partition after above instructions, the partition unlock is not passed on to the initramfs. Hence, you have to enter the passphrase twice at boot: once for GRUB and once for the initramfs.

This section deals with extra configuration to let the system boot by only entering the passphrase once, in GRUB. This is accomplished by with a keyfile embedded in the initramfs."

So - the initramfs needs to be stored inside the encrypted boot-partition so when you unlock it, you have the decrypted keyfiles, which are used to unlock/decrypt home/root-partition (you choose if you wish to encrypt only home or the hole root-partition). Then use /etc/crypttab to make the decrypted partition available to your linux-system, as it's booting up.

If not on Arch, you'll have to figure out how to embed your keyfile in the initramfs, but follow more or less the same steps - at least that's how I do it every single time, I don't know any other way to accomplish this. Took me many hours the first time, googling, testing, write down every step you do so you can redo it again.

Good luck.


Br,
Martin

On Wed, Jan 13, 2021 at 10:43 PM Didier Spaier <didier@xxxxxxxx> wrote:
Hi,

I maintain the Slint distribution (Slackware derivative
internationalized and
accessible to the blind).

Our installer uses GRUB as boot manager and boot loader in both Legacy and
EFI modes.

To help beginners I have added the 'auto' mode to the Slint installer
which in
case of a drive dedicated to Slint sets up a very simple layout of the GPT:
_A Bios Boot partition for booting GRUB in legacy mode
_An EFI system partition
_A root (/) partition
_Optionally an additional partition (mount point suggested: /data)
_No swap partition: the installer sets up a swap file and a swap space
in zram.

I would like that the 'auto' script offer an option for encrypting the whole
drive if dedicated to Slint, using LUKS without relying on LVM to keep the
drive's layout as simple as possible to be easily understood by a 74y old
grand father. I do belong to this category :-)

I assume that I will have to set GRUB_ENABLE_CRYPTODISK in
/etc/default.grub.

I would like that the user type the passphrase only once. We always use an
initrd, built after having installed the kernel at time of installation,
rebuilt at each kernel upgrade, so I can modify its set up as need be.

I have tried to find on the Internet examples of settings matching this
specification but didn't find one on the Wiki or on the Arch wiki, but
these:
https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
Although they do not exactly match my specifications and/or use tools I
don't ship, if I have to I will take one of them as a basis.

However I'd glad for help on how-to provides this "type the passphrase only
once, don't modify the drive's layout and don't use LVM" feature, be it just
answering this message or giving me pointers to relevant documents.

Thanks in advance
Dider Spaier, Paris, France

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux