[dm-crypt] Re: Using dm-crypt: whole disk encryption

[ken <gebser@mousecar.com>]

[-- Attachment #1.1: Type: text/plain, Size: 5305 bytes --]

On March 22, 2021 4:43:59 PM UTC, Johnny Dahlberg <svartchimpans@gmail.com> wrote:
>On Sun, 21 Mar 2021 at 17:20, ken <gebser@mousecar.com> wrote:
>
>> A new laptop is on the way and I'm considering using dm-crypt 2
>secure the
>> whole SSD. I have some basic questions though.
>>
>> Is it possible to encrypt the entire Drive, including all the system
>files?
>> _______________________________________________
>> dm-crypt mailing list -- dm-crypt@saout.de
>> To unsubscribe send an email to dm-crypt-leave@saout.de
>
>
>Yes, you can do this extremely easily in distributions that support it.
>What does "it" mean? Well, simply: Placing the kernel and bootloader on
>an
>EFI /boot/efi partition and using that as a bootstrap to decrypt the
>main
>partition. And auto-updating it every time the main system kernel is
>updated.
>I highly recommend my favorite Linux distro, which handles all of that
>automatically and asks if you want Full Disk Encryption during install:
>https://pop.system76.com/
>
>However, it only asks you if you want disk encryption if you do a full
>"clean install: wipe the disk and auto-partition" setup.
>
>Perhaps that's enough for you? In that case, just go ahead and install
>it
>and you're done! Very quick and easy.
>
>You can also MANUALLY set up smaller/custom partitions though (such as
>if
>you don't want to use an entire disk for this distro). I'll guide you
>through all of the steps:
>
>- Be sure that you download Pop!_OS 20.10 ISO v12 or later. The
>revision is
>trailing the filename, such as "pop-os_20.10_amd64_nvidia_12.iso"
>meaning
>the 12th ISO. This is necessary because v12 (or later) enhanced the
>installer to support custom encrypted partitions. Furthermore, I
>recommend
>getting the NVIDIA iso if you have (or will ever have) an NVIDIA GPU in
>your system, because that ISO makes it seamless to connect NVIDIA GPUs.
>
>- Ensure that your partitioning table is GPT (not MBR). And that your
>computer is booting with UEFI. This gives you a modern EFI bootloader.
>Otherwise you end up in hellish and brittle legacy grub land where you
>definitely don't wanna be.
>
>- Use GParted on the live boot ISO to create 3 partitions: 512 MiB
>fat32,
>4096 MiB fat32, and the remainder as "filesystem: unformatted" (it's a
>choice in the GParted dropdown).
>
>- Open a Terminal in the live boot ISO and type all of these commands
>(adjust the nvme0n1p3 to whatever your own partition is named):
># Get device name for the "unformatted" partition, in my case
>/dev/nvme0n1p3:
>fdisk -l
>
># Ensure that the encrypted payload is aligned to a 1 MiB (2048 * 512
>byte
>sectors) boundary:
>cryptsetup --key-size 256 --type luks2 --sector-size 4096
>--align-payload
>2048 luksFormat /dev/nvme0n1p3
>
># Open the LUKS volume and permanently mark it as "allow discards
>(TRIM) so
>that it always opens like that by default, for SSD health purposes:
>cryptsetup --allow-discards --persistent open /dev/nvme0n1p3 cryptdata
>
># Create the LVM volume metadata and enforce "start of payload"
>alignment
>at the nearest 1 MiB boundary after the metadata (by default this means
>the
>payload starts at 1 MiB):
>pvcreate -ffy --metadatatype lvm2 --dataalignment 1m
>--dataalignmentoffset
>0 /dev/mapper/cryptdata
>
># Create the LVM volume group and force it to divide the volume into
>aligned 4 MiB chunks (this is the default, but enforcing it just to be
>sure):
>vgcreate -ffy --physicalextentsize 4m data /dev/mapper/cryptdata
>
># Create a LVM logical volume using all of the space:
>lvcreate -y --name root --extents 100%FREE data
>
># Format as ext4 with 4096 byte (4 KiB) block size:
>mkfs.ext4 -F -b 4096 /dev/mapper/data-root
>
># Close the devices.
>vgchange --activate n data
>cryptsetup close cryptdata
>
>- Now close the Terminal and go back to the Pop!_OS installer window,
>and
>proceed until it lets you pick "Custom Install". Pick that option. (Do
>not
>click the "Unlock partition banner at the top of the window.)
>
>- You will be brought to an overview of your partitions. Click the
>small
>512 MiB fat32 and say "Use as: /boot/efi". Click the 4096 MiB fat32 and
>say
>"Use as: Custom. Custom path: /recovery". And lastly, click on the
>large
>partition and it will ask you about your password, so type your
>password to
>unlock it. Then click the large ext4 partition that appears and choose
>"Use
>as: Root (/)".
>
>- Now just proceed with the installation and it will automatically set
>up
>an encrypted full-disk bootloader with your custom partitions.
>
>
>Take care and have fun!
>
>-- Johny

Much thanks to everyone who replied. Your answers were much better than my question. From those answers it's abundantly apparent that I need to study a bit more on a few issues, like the boot processes and other things before I'll be able to make intelligent decisions. I used to understand the boot process fairly well, but that was before quite a bit was changed.

Also, I can't reply to e-mails the way I'm accustomed to and the way I'd like to because I don't have an actual Linux system for that, rather I'm forced to make do with a phone for the time being. Not optimal at all.

Thanks again for all the great replies.

[-- Attachment #1.2: Type: text/html, Size: 5961 bytes --]

[-- Attachment #2: Type: text/plain, Size: 147 bytes --]

_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de