175 lines
6.2 KiB
HTML
175 lines
6.2 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>True Full Disk Encryption On Linux</title>
|
|
<link rel="stylesheet" href="../style.css">
|
|
<link rel="shortcut icon" type="image/jpg"
|
|
href="https://ayham.xyz/pix/pfp.ico"/>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
|
|
<script type="text/javascript" src="js/partials.js" async></script>
|
|
<link rel="preload" href="font.woff" as="font" type="font/woff" crossorigin="anonymous">
|
|
</head>
|
|
<body>
|
|
<center>
|
|
<h1 style=font-size:xxx-large>True Full Disk Encryption On Linux</h1>
|
|
</center>
|
|
<div id=partial_header></div>
|
|
<main>
|
|
<p>My friends laugh at me when they are told that I have to put in 4 passwords
|
|
with ~18 characters each to login into my computer. I laugh back at them,
|
|
wishing them enjoyment with Ads in the start-menu.</p>
|
|
|
|
<p>In this article, we will discuss <em>true</em> full disk encryption. Everything,
|
|
including having the kernel encrypted using LUKS. I personally found difficulty
|
|
in finding good documentation detailing how to set-up disk encryption.
|
|
Hopefully this guide would help someone out there.</p>
|
|
|
|
<h1>Introduction</h1>
|
|
|
|
<p>We will be installing <a href="https://artixlinux.org/">Artix Linux</a>, because this is
|
|
what I use and recommend (not for everyone). This tutorial should work using
|
|
any distro that allows you to select where to install the system. In the end we
|
|
would have a bootable UEFI system where the user is prompted for a password to
|
|
unlock the <code>/boot/</code> partition, then another prompt for the main partition.
|
|
The reason for this seperation is that GRUB, at least with my testing
|
|
(2021-08), does not officially (?) support LUKS2 formatting.</p>
|
|
|
|
<pre><code>$ lsblk
|
|
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
|
|
sda 8:0 0 931.5G 0 disk
|
|
├─sda1 8:1 0 512M 0 part
|
|
├─sda2 8:2 0 2G 0 part
|
|
└─sda3 8:3 0 929G 0 part
|
|
└─hdd 254:0 0 929G 0 crypt
|
|
├─vol-root 254:1 0 150G 0 lvm /
|
|
├─vol-home 254:2 0 300G 0 lvm /home
|
|
├─vol-data 254:3 0 421G 0 lvm /data
|
|
├─vol-swap 254:4 0 8G 0 lvm [SWAP]
|
|
</code></pre>
|
|
|
|
<p>This would be the final result. LVM over LUKS2 for the main (<code>/dev/sda3</code>)
|
|
partition, LUKS1 for <code>/dev/sda2</code>, and the UEFI disk on <code>/dev/sda1</code>.</p>
|
|
|
|
<p>I am not responsible for any loss of data that occurs because you irresponsibly
|
|
ran any command.</p>
|
|
|
|
<p>Flash your ISO into your USB, turn off your device, plug the USB in, boot into
|
|
the USB, and follow this guide from another device.</p>
|
|
|
|
<h1>Partitioning the Disk</h1>
|
|
|
|
<p>Following this would irreversibly erase your whole disk. First, start by
|
|
identifying the disk name. Run <code>lsblk</code>, find your disk name by its known
|
|
space. I from hereafter use <code>/dev/sda</code> as the installation hard-disk.
|
|
Using your <a href="https://wiki.archlinux.org/title/Partitioning#Tools">favourite disk editing tools</a>,
|
|
do the following tasks:</p>
|
|
|
|
<ul>
|
|
<li>Label disk as GPT</li>
|
|
<li>Create a 512MB, EFI tagged. FAT32 formatted. (<code>/dev/sda1</code>)</li>
|
|
<li>Create the boot disk with 2GB. We will format it later on. (<code>/dev/sda2</code>)</li>
|
|
<li>Create the main disk with as much space that is available, leave some at the
|
|
end. We will format it later on. (<code>/dev/sda3</code>)</li>
|
|
</ul>
|
|
|
|
|
|
<p>Set up the boot disk, then the main disk:</p>
|
|
|
|
<pre><code>$ cryptsetup luksFormat --type luks1 /dev/sda2
|
|
$ cryptsetup luksFormat --type luks2 /dev/sda3
|
|
</code></pre>
|
|
|
|
<p>Format the boot disk:</p>
|
|
|
|
<pre><code>$ cryptsetup open /dev/sda2 boot-crypt
|
|
$ mkfs.ext4 /dev/mapper/boot-crypt
|
|
</code></pre>
|
|
|
|
<p>Format the main disk as LVM:</p>
|
|
|
|
<pre><code>$ cryptsetup open /dev/sda3 hdd
|
|
$ pvcreate /dev/mapper/hdd
|
|
$ vgcreate vol /dev/mapper/hdd
|
|
$ lvcreate -L[your / size] -n root vol
|
|
$ lvcreate -L[your /home size] -n home vol
|
|
$ lvcreate -L[your /data size] -n data vol
|
|
$ mkfs.ext4 /dev/vol/root
|
|
$ mkfs.ext4 /dev/vol/home
|
|
$ mkfs.ext4 /dev/vol/data
|
|
</code></pre>
|
|
|
|
<p>Your disk should be ready for installation!</p>
|
|
|
|
<h1>Artix Installation</h1>
|
|
|
|
<p>This section won’t hold your hand installing a full Artix system. I will just
|
|
go over configuring the disk. <code>mount</code> your horses and go <code>chroot</code>ing!</p>
|
|
|
|
<pre><code>$ mount /dev/vol/root /mnt/
|
|
$ mkdir -p /mnt/home/
|
|
$ mount /dev/vol/home /mnt/home/
|
|
$ mkdir -p /mnt/boot/EFI
|
|
$ mount /dev/sda1 /mnt/boot/EFI
|
|
$ mount /dev/mapper/boot-crypt /mnt/boot/
|
|
$ mkdir -p /mnt/data
|
|
$ mount /dev/vol/data /mnt/data
|
|
$ lsblk # check if everything is fine
|
|
$ # After bootstrapping Artix Linux into /mnt, don't forget to configure fstab!
|
|
$ artix-chroot /mnt/
|
|
$ # Continue installing the system, skipping GRUB for the next section
|
|
</code></pre>
|
|
|
|
<h2>GRUB Bootloader Installation & Configuration</h2>
|
|
|
|
<p>This section assumes that you are already <code>chroot</code>ed. Install <code>GRUB</code>:</p>
|
|
|
|
<pre><code>$ pacman -S grub efibootmgr
|
|
</code></pre>
|
|
|
|
<p>Set-up <code>GRUB</code> & <code>mkinitcpio</code> for encryption:</p>
|
|
|
|
<pre><code>$ vi /etc/default/grub
|
|
# Change the following:
|
|
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=[YOUR LUKS PARTITION UUID]"
|
|
GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"
|
|
GRUB_ENABLE_CRYPTODISK=y
|
|
$ grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub
|
|
</code></pre>
|
|
|
|
|
|
|
|
<pre><code>$ vi /etc/mkinitcpio.conf
|
|
# Change the following:
|
|
HOOKS=(.. lvm2 encrypt)
|
|
</code></pre>
|
|
|
|
<p>Finally, configure <code>GRUB</code>:</p>
|
|
|
|
<pre><code>$ grub-mkconfig -o /boot/grub/grub.cfg
|
|
</code></pre>
|
|
|
|
<p>Make sure you run <code>mkinitcpio</code>, do so by updating your kernel pacman will
|
|
update your initcpio automatically, or run this:</p>
|
|
|
|
<pre><code>$ mkinitcpio -P
|
|
</code></pre>
|
|
|
|
<p>Congratz, you should have a <em>true</em> full disk encryption system!</p>
|
|
|
|
<h1>Conclusion</h1>
|
|
|
|
<p>Full disk encryption should not be hard to setup, try it out in a VM before
|
|
converting all of your machines!</p>
|
|
<center>
|
|
Unique Users:
|
|
<a href="https://www.digits.net" target="_blank" rel="noopener">
|
|
<img src="https://counter.digits.net/?counter={a6716c2f-04eb-a304-452c-7a2b69889a6f}&template=simple"
|
|
alt="Hit Counter by Digits" border="0" />
|
|
</a>
|
|
</center>
|
|
</main>
|
|
<div align=center id=partial_footer></div>
|
|
</body>
|
|
</html>
|