ayham
/
tilde
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
tilde/blog/true-full-disk-encryption.html

175 lines
6.2 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<title>True Full Disk Encryption On Linux</title>
<link rel="stylesheet" href="../style.css">
<link rel="shortcut icon" type="image/jpg"
href="https://ayham.xyz/pix/pfp.ico"/>
<meta name="viewport" content="width=device-width, initial-scale=1">
<script type="text/javascript" src="js/partials.js" async></script>
<link rel="preload" href="font.woff" as="font" type="font/woff" crossorigin="anonymous">
</head>
<body>
<center>
<h1 style=font-size:xxx-large>True Full Disk Encryption On Linux</h1>
</center>
<div id=partial_header></div>
<main>
<p>My friends laugh at me when they are told that I have to put in 4 passwords
with ~18 characters each to login into my computer. I laugh back at them,
wishing them enjoyment with Ads in the start-menu.</p>
<p>In this article, we will discuss <em>true</em> full disk encryption. Everything,
including having the kernel encrypted using LUKS. I personally found difficulty
in finding good documentation detailing how to set-up disk encryption.
Hopefully this guide would help someone out there.</p>
<h1>Introduction</h1>
<p>We will be installing <a href="https://artixlinux.org/">Artix Linux</a>, because this is
what I use and recommend (not for everyone). This tutorial should work using
any distro that allows you to select where to install the system. In the end we
would have a bootable UEFI system where the user is prompted for a password to
unlock the <code>/boot/</code> partition, then another prompt for the main partition.
The reason for this seperation is that GRUB, at least with my testing
(2021-08), does not officially (?) support LUKS2 formatting.</p>
<pre><code>$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 931.5G 0 disk
├─sda1 8:1 0 512M 0 part
├─sda2 8:2 0 2G 0 part
└─sda3 8:3 0 929G 0 part
└─hdd 254:0 0 929G 0 crypt
├─vol-root 254:1 0 150G 0 lvm /
├─vol-home 254:2 0 300G 0 lvm /home
├─vol-data 254:3 0 421G 0 lvm /data
├─vol-swap 254:4 0 8G 0 lvm [SWAP]
</code></pre>
<p>This would be the final result. LVM over LUKS2 for the main (<code>/dev/sda3</code>)
partition, LUKS1 for <code>/dev/sda2</code>, and the UEFI disk on <code>/dev/sda1</code>.</p>
<p>I am not responsible for any loss of data that occurs because you irresponsibly
ran any command.</p>
<p>Flash your ISO into your USB, turn off your device, plug the USB in, boot into
the USB, and follow this guide from another device.</p>
<h1>Partitioning the Disk</h1>
<p>Following this would irreversibly erase your whole disk. First, start by
identifying the disk name. Run <code>lsblk</code>, find your disk name by its known
space. I from hereafter use <code>/dev/sda</code> as the installation hard-disk.
Using your <a href="https://wiki.archlinux.org/title/Partitioning#Tools">favourite disk editing tools</a>,
do the following tasks:</p>
<ul>
<li>Label disk as GPT</li>
<li>Create a 512MB, EFI tagged. FAT32 formatted. (<code>/dev/sda1</code>)</li>
<li>Create the boot disk with 2GB. We will format it later on. (<code>/dev/sda2</code>)</li>
<li>Create the main disk with as much space that is available, leave some at the
end. We will format it later on. (<code>/dev/sda3</code>)</li>
</ul>
<p>Set up the boot disk, then the main disk:</p>
<pre><code>$ cryptsetup luksFormat --type luks1 /dev/sda2
$ cryptsetup luksFormat --type luks2 /dev/sda3
</code></pre>
<p>Format the boot disk:</p>
<pre><code>$ cryptsetup open /dev/sda2 boot-crypt
$ mkfs.ext4 /dev/mapper/boot-crypt
</code></pre>
<p>Format the main disk as LVM:</p>
<pre><code>$ cryptsetup open /dev/sda3 hdd
$ pvcreate /dev/mapper/hdd
$ vgcreate vol /dev/mapper/hdd
$ lvcreate -L[your / size] -n root vol
$ lvcreate -L[your /home size] -n home vol
$ lvcreate -L[your /data size] -n data vol
$ mkfs.ext4 /dev/vol/root
$ mkfs.ext4 /dev/vol/home
$ mkfs.ext4 /dev/vol/data
</code></pre>
<p>Your disk should be ready for installation!</p>
<h1>Artix Installation</h1>
<p>This section won&rsquo;t hold your hand installing a full Artix system. I will just
go over configuring the disk. <code>mount</code> your horses and go <code>chroot</code>ing!</p>
<pre><code>$ mount /dev/vol/root /mnt/
$ mkdir -p /mnt/home/
$ mount /dev/vol/home /mnt/home/
$ mkdir -p /mnt/boot/EFI
$ mount /dev/sda1 /mnt/boot/EFI
$ mount /dev/mapper/boot-crypt /mnt/boot/
$ mkdir -p /mnt/data
$ mount /dev/vol/data /mnt/data
$ lsblk # check if everything is fine
$ # After bootstrapping Artix Linux into /mnt, don't forget to configure fstab!
$ artix-chroot /mnt/
$ # Continue installing the system, skipping GRUB for the next section
</code></pre>
<h2>GRUB Bootloader Installation &amp; Configuration</h2>
<p>This section assumes that you are already <code>chroot</code>ed. Install <code>GRUB</code>:</p>
<pre><code>$ pacman -S grub efibootmgr
</code></pre>
<p>Set-up <code>GRUB</code> &amp; <code>mkinitcpio</code> for encryption:</p>
<pre><code>$ vi /etc/default/grub
# Change the following:
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=[YOUR LUKS PARTITION UUID]"
GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"
GRUB_ENABLE_CRYPTODISK=y
$ grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub
</code></pre>
<pre><code>$ vi /etc/mkinitcpio.conf
# Change the following:
HOOKS=(.. lvm2 encrypt)
</code></pre>
<p>Finally, configure <code>GRUB</code>:</p>
<pre><code>$ grub-mkconfig -o /boot/grub/grub.cfg
</code></pre>
<p>Make sure you run <code>mkinitcpio</code>, do so by updating your kernel pacman will
update your initcpio automatically, or run this:</p>
<pre><code>$ mkinitcpio -P
</code></pre>
<p>Congratz, you should have a <em>true</em> full disk encryption system!</p>
<h1>Conclusion</h1>
<p>Full disk encryption should not be hard to setup, try it out in a VM before
converting all of your machines!</p>
<center>
Unique Users:
<a href="https://www.digits.net" target="_blank" rel="noopener">
<img src="https://counter.digits.net/?counter={a6716c2f-04eb-a304-452c-7a2b69889a6f}&template=simple"
alt="Hit Counter by Digits" border="0" />
</a>
</center>
</main>
<div align=center id=partial_footer></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink