From: Didier Spaier <didier@slint.fr>
To: dm-crypt@saout.de
Subject: [dm-crypt] Re: Using dm-crypt: whole disk encryption
Date: Tue, 23 Mar 2021 00:50:04 +0100 [thread overview]
Message-ID: <09a3e2ea-e1f6-3313-ae93-af89c489fafc@slint.fr> (raw)
In-Reply-To: <CA+3G=9iX7HgO2Q09As7exwmfGpdddzj_aN5y5hJ0f30ja-SQkQ@mail.gmail.com>
Le 22/03/2021 à 17:43, Johnny Dahlberg a écrit :
> On Sun, 21 Mar 2021 at 17:20, ken <gebser@mousecar.com
> <mailto:gebser@mousecar.com>> wrote:
>
> A new laptop is on the way and I'm considering using dm-crypt 2
> secure the whole SSD. I have some basic questions though.
>
> Is it possible to encrypt the entire Drive, including all the system
> files?
> Yes, you can do this extremely easily in distributions that support it.
> What does "it" mean? Well, simply: Placing the kernel and bootloader on
> an EFI /boot/efi partition and using that as a bootstrap to decrypt the
> main partition. And auto-updating it every time the main system kernel
> is updated.
> I highly recommend my favorite Linux distro, which handles all of that
> automatically and asks if you want Full Disk Encryption during install:
> https://pop.system76.com/
Well Slint can do that as well in 'Auto' mode, with a simpler layout:
1. A BiosBoot partition # For GRUB to boot in Legacy mode
2. An ESP # Contains only the EFI OS loader
3. A partition for /, encrypted
4. Optionally an additional partition, encrypted
No LVM, the LUKS passphrase is asked by GRUB before displaying its menu,
then loads the kernel and the initrd, which includes a LUKS key used to
unlock /, also stored in /etc/keys
Another LUKS key stored in /etc/keys allows then to unlock /data.
when the kernel is updated, the key used to unlock / is copied in the
new initrd.
As an aside, instead of a swap partition a small swap file is set up,
as well as a swap space in zram with a higher priority.
Out of curiosity I installed pop-os in a Qemu VM. I think it would be
fair to mention on the website that it's based on Ubuntu. I don't
like GNOME, but that's just a personal taste ;)
Slint's website: https://slint.fr
Main server: http://slackware.uk/slint/x86_64/slint-14.2.1/
Best regards,
Didier
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de
next prev parent reply other threads:[~2021-03-22 23:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-21 16:13 [dm-crypt] Using dm-crypt: whole disk encryption ken
2021-03-22 3:57 ` [dm-crypt] " Arno Wagner
2021-03-22 20:35 ` [dm-crypt] What to encrypt and why (was: " ken
2021-03-22 20:50 ` [dm-crypt] " Johnny Dahlberg
2021-03-22 21:25 ` Maksim Fomin
2021-03-22 21:58 ` Johnny Dahlberg
2021-03-23 4:00 ` Maksim Fomin
2021-03-22 16:43 ` [dm-crypt] " Johnny Dahlberg
2021-03-22 23:50 ` Didier Spaier [this message]
2021-03-23 22:43 ` Johnny Dahlberg
2021-03-24 21:14 ` ken
2021-03-22 21:01 ` [dm-crypt] " Maksim Fomin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=09a3e2ea-e1f6-3313-ae93-af89c489fafc@slint.fr \
--to=didier@slint.fr \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.