Re: Using dm-crypt: whole disk encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On March 22, 2021 4:43:59 PM UTC, Johnny Dahlberg <svartchimpans@xxxxxxxxx> wrote:


On Sun, 21 Mar 2021 at 17:20, ken <gebser@xxxxxxxxxxxx> wrote:
A new laptop is on the way and I'm considering using dm-crypt 2 secure the whole SSD. I have some basic questions though.

Is it possible to encrypt the entire Drive, including all the system files?
_______________________________________________
dm-crypt mailing list -- dm-crypt@xxxxxxxx
To unsubscribe send an email to dm-crypt-leave@xxxxxxxx

Yes, you can do this extremely easily in distributions that support it.
What does "it" mean? Well, simply: Placing the kernel and bootloader on an EFI /boot/efi partition and using that as a bootstrap to decrypt the main partition. And auto-updating it every time the main system kernel is updated.
I highly recommend my favorite Linux distro, which handles all of that automatically and asks if you want Full Disk Encryption during install: https://pop.system76.com/

However, it only asks you if you want disk encryption if you do a full "clean install: wipe the disk and auto-partition" setup.

Perhaps that's enough for you? In that case, just go ahead and install it and you're done! Very quick and easy.

You can also MANUALLY set up smaller/custom partitions though (such as if you don't want to use an entire disk for this distro). I'll guide you through all of the steps:

- Be sure that you download Pop!_OS 20.10 ISO v12 or later. The revision is trailing the filename, such as "pop-os_20.10_amd64_nvidia_12.iso" meaning the 12th ISO. This is necessary because v12 (or later) enhanced the installer to support custom encrypted partitions. Furthermore, I recommend getting the NVIDIA iso if you have (or will ever have) an NVIDIA GPU in your system, because that ISO makes it seamless to connect NVIDIA GPUs.

- Ensure that your partitioning table is GPT (not MBR). And that your computer is booting with UEFI. This gives you a modern EFI bootloader. Otherwise you end up in hellish and brittle legacy grub land where you definitely don't wanna be.

- Use GParted on the live boot ISO to create 3 partitions: 512 MiB fat32, 4096 MiB fat32, and the remainder as "filesystem: unformatted" (it's a choice in the GParted dropdown).

- Open a Terminal in the live boot ISO and type all of these commands (adjust the nvme0n1p3 to whatever your own partition is named):
# Get device name for the "unformatted" partition, in my case /dev/nvme0n1p3:  
fdisk -l

# Ensure that the encrypted payload is aligned to a 1 MiB (2048 * 512 byte sectors) boundary:
cryptsetup --key-size 256 --type luks2 --sector-size 4096 --align-payload 2048 luksFormat /dev/nvme0n1p3

# Open the LUKS volume and permanently mark it as "allow discards (TRIM) so that it always opens like that by default, for SSD health purposes:
cryptsetup --allow-discards --persistent open /dev/nvme0n1p3 cryptdata

# Create the LVM volume metadata and enforce "start of payload" alignment at the nearest 1 MiB boundary after the metadata (by default this means the payload starts at 1 MiB):
pvcreate -ffy --metadatatype lvm2 --dataalignment 1m --dataalignmentoffset 0 /dev/mapper/cryptdata

# Create the LVM volume group and force it to divide the volume into aligned 4 MiB chunks (this is the default, but enforcing it just to be sure):
vgcreate -ffy --physicalextentsize 4m data /dev/mapper/cryptdata

# Create a LVM logical volume using all of the space:
lvcreate -y --name root --extents 100%FREE data

# Format as ext4 with 4096 byte (4 KiB) block size:
mkfs.ext4 -F -b 4096 /dev/mapper/data-root

# Close the devices.
vgchange --activate n data
cryptsetup close cryptdata

- Now close the Terminal and go back to the Pop!_OS installer window, and proceed until it lets you pick "Custom Install". Pick that option. (Do not click the "Unlock partition banner at the top of the window.)

- You will be brought to an overview of your partitions. Click the small 512 MiB fat32 and say "Use as: /boot/efi". Click the 4096 MiB fat32 and say "Use as: Custom. Custom path: /recovery". And lastly, click on the large partition and it will ask you about your password, so type your password to unlock it. Then click the large ext4 partition that appears and choose "Use as: Root (/)".

- Now just proceed with the installation and it will automatically set up an encrypted full-disk bootloader with your custom partitions.


Take care and have fun!

-- Johny 

Much thanks to everyone who replied. Your answers were much better than my question. From those answers it's abundantly apparent that I need to study a bit more on a few issues, like the boot processes and other things before I'll be able to make intelligent decisions. I used to understand the boot process fairly well, but that was before quite a bit was changed.

Also, I can't reply to e-mails the way I'm accustomed to and the way I'd like to because I don't have an actual Linux system for that, rather I'm forced to make do with a phone for the time being. Not optimal at all.

Thanks again for all the great replies.
_______________________________________________
dm-crypt mailing list -- dm-crypt@xxxxxxxx
To unsubscribe send an email to dm-crypt-leave@xxxxxxxx

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux