Re: Using dm-crypt: whole disk encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 22/03/2021 à 17:43, Johnny Dahlberg a écrit :
On Sun, 21 Mar 2021 at 17:20, ken <gebser@xxxxxxxxxxxx <mailto:gebser@xxxxxxxxxxxx>> wrote:

    A new laptop is on the way and I'm considering using dm-crypt 2
    secure the whole SSD. I have some basic questions though.

    Is it possible to encrypt the entire Drive, including all the system
    files?

Yes, you can do this extremely easily in distributions that support it.
What does "it" mean? Well, simply: Placing the kernel and bootloader on an EFI /boot/efi partition and using that as a bootstrap to decrypt the main partition. And auto-updating it every time the main system kernel is updated. I highly recommend my favorite Linux distro, which handles all of that automatically and asks if you want Full Disk Encryption during install: https://pop.system76.com/

Well Slint can do that as well in 'Auto' mode, with a simpler layout:
1. A BiosBoot partition # For GRUB to boot in Legacy mode
2. An ESP # Contains only the EFI OS loader
3. A partition for /, encrypted
4. Optionally an additional partition, encrypted

No LVM, the LUKS passphrase is asked by GRUB before displaying its menu,
then loads the kernel and the initrd, which includes a LUKS key used to
unlock /, also stored in /etc/keys
Another LUKS key stored in /etc/keys allows then to unlock /data.

when the kernel is updated, the key used to unlock / is copied in the
new initrd.

As an aside, instead of a swap partition a small swap file is set up,
as well as a swap space in zram with a higher priority.

Out of curiosity I installed pop-os in a Qemu VM. I think it would be
fair to mention on the website that it's based on Ubuntu. I don't
like GNOME, but that's just a personal taste ;)

Slint's website: https://slint.fr
Main server: http://slackware.uk/slint/x86_64/slint-14.2.1/

Best regards,
Didier
_______________________________________________
dm-crypt mailing list -- dm-crypt@xxxxxxxx
To unsubscribe send an email to dm-crypt-leave@xxxxxxxx




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux