From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=rXwc=IW=saout.de=dm-crypt-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 07F9AC433C1
	for <dm-crypt@archiver.kernel.org>; Wed, 24 Mar 2021 21:17:25 +0000 (UTC)
Received: from mail.server123.net (mail.server123.net [78.46.64.186])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 3725C61574
	for <dm-crypt@archiver.kernel.org>; Wed, 24 Mar 2021 21:17:24 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3725C61574
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=mousecar.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-crypt-bounces@saout.de
X-Virus-Scanned: amavisd-new at saout.de
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=74.208.4.196; helo=mout.perfora.net; envelope-from=gebser@mousecar.com; receiver=<UNKNOWN> 
Received: from mout.perfora.net (mout.perfora.net [74.208.4.196])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.server123.net (Postfix) with ESMTPS
	for <dm-crypt@saout.de>; Wed, 24 Mar 2021 22:14:17 +0100 (CET)
Received: from [192.168.0.8] ([96.27.75.237]) by mrelay.perfora.net
 (mreueus003 [74.208.5.2]) with ESMTPSA (Nemesis) id 0LqSG7-1ltZhc3Osr-00e3ZH;
 Wed, 24 Mar 2021 22:14:13 +0100
Date: Wed, 24 Mar 2021 21:14:11 +0000
In-Reply-To: <CA+3G=9iX7HgO2Q09As7exwmfGpdddzj_aN5y5hJ0f30ja-SQkQ@mail.gmail.com>
References: <643D0D27-E48A-4684-88B8-C0EE72B0DE7D@mousecar.com> <CA+3G=9iX7HgO2Q09As7exwmfGpdddzj_aN5y5hJ0f30ja-SQkQ@mail.gmail.com>
MIME-Version: 1.0
To: Johnny Dahlberg <svartchimpans@gmail.com>
From: ken <gebser@mousecar.com>
Message-ID: <3032EE0A-E661-442A-B1C7-EE3848658B3D@mousecar.com>
X-Provags-ID: V03:K1:RHDwLZ50nyEteNMx5sv7Q97a4AjsodcAHFS5uCp7MuxaGQClC3B
 Jnb/i5/PguaWv4eI/nicTgtWKZUEE5INefkqV65w4idfKhVa3b2XxFDKa3z3QNtKDIzx/C2
 rgw+Q+JJXK8T1hb0rmmXYvhqMWVHHymDpwtnmo2ypnUyVoENWgOKU9JVjJ0p+vWwtqz6tte
 P435iORO3Va5QA8D+nRZg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:jlMjsxu9T3s=:KVbqtp+2Q3Rv42DYyZXNk9
 6Cgc8yaQ2Hk49ESHF8i/M6qvMKHdliQ/gCokaH7qTr9w9ZHWEDknwpbp0um1v7ipPq2WbSStY
 wFFdi7WemitgawmuqM1WD9Z7WVTGsd89LpfIAhOcVDGGSgPntyabReVQEoPyrLKWtHkSjq9rd
 b+ukn1zVjL8j3o2FVkq9K/yNrWFFLqVbBOiHqCejQQPAhNdis/xco4ihD+rlM1frdcu3np5Qc
 5NDCATGHrqBkSg5BRpuZFA+mqA8jbZn7IiFpwS+zq0qhIB8ZVx6kbGHP2qDfKtQ+CSKZizNll
 +8Za2kctRGF2vwzDvUHttsuAkhyYlrThW/6aHDlbeejlCIkXoDh2RZlWEoU/SRZKOvaLrrNRX
 NOTCGdQc39B/d/CLtoFWIj+qCm4SqqZu69OjB7gEjChIokPH45G1N/fhCORvTYuPYnvJxHA3Y
 1Y7io01q6Q==
Message-ID-Hash: Z72YZMFTKNG5PCXQQXX6DIXETYE3JFKB
X-Message-ID-Hash: Z72YZMFTKNG5PCXQQXX6DIXETYE3JFKB
X-MailFrom: gebser@mousecar.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dm-crypt.saout.de-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
CC: dm-crypt maillist <dm-crypt@saout.de>
X-Mailman-Version: 3.3.2
Precedence: list
Subject: [dm-crypt] Re: Using dm-crypt: whole disk encryption
List-Id: <dm-crypt.saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Post: <mailto:dm-crypt@saout.de>
List-Subscribe: <mailto:dm-crypt-join@saout.de>
List-Unsubscribe: <mailto:dm-crypt-leave@saout.de>
Content-Type: multipart/mixed; boundary="===============0380439189792017209=="

--===============0380439189792017209==
Content-Type: multipart/alternative; boundary="----QS51IE519LERUJCC6PAA9VLK1R31GS"
Content-Transfer-Encoding: 7bit

------QS51IE519LERUJCC6PAA9VLK1R31GS
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

On March 22, 2021 4:43:59 PM UTC, Johnny Dahlberg <svartchimpans@gmail=2Eco=
m> wrote:
>On Sun, 21 Mar 2021 at 17:20, ken <gebser@mousecar=2Ecom> wrote:
>
>> A new laptop is on the way and I'm considering using dm-crypt 2
>secure the
>> whole SSD=2E I have some basic questions though=2E
>>
>> Is it possible to encrypt the entire Drive, including all the system
>files?
>> _______________________________________________
>> dm-crypt mailing list -- dm-crypt@saout=2Ede
>> To unsubscribe send an email to dm-crypt-leave@saout=2Ede
>
>
>Yes, you can do this extremely easily in distributions that support it=2E
>What does "it" mean? Well, simply: Placing the kernel and bootloader on
>an
>EFI /boot/efi partition and using that as a bootstrap to decrypt the
>main
>partition=2E And auto-updating it every time the main system kernel is
>updated=2E
>I highly recommend my favorite Linux distro, which handles all of that
>automatically and asks if you want Full Disk Encryption during install:
>https://pop=2Esystem76=2Ecom/
>
>However, it only asks you if you want disk encryption if you do a full
>"clean install: wipe the disk and auto-partition" setup=2E
>
>Perhaps that's enough for you? In that case, just go ahead and install
>it
>and you're done! Very quick and easy=2E
>
>You can also MANUALLY set up smaller/custom partitions though (such as
>if
>you don't want to use an entire disk for this distro)=2E I'll guide you
>through all of the steps:
>
>- Be sure that you download Pop!_OS 20=2E10 ISO v12 or later=2E The
>revision is
>trailing the filename, such as "pop-os_20=2E10_amd64_nvidia_12=2Eiso"
>meaning
>the 12th ISO=2E This is necessary because v12 (or later) enhanced the
>installer to support custom encrypted partitions=2E Furthermore, I
>recommend
>getting the NVIDIA iso if you have (or will ever have) an NVIDIA GPU in
>your system, because that ISO makes it seamless to connect NVIDIA GPUs=2E
>
>- Ensure that your partitioning table is GPT (not MBR)=2E And that your
>computer is booting with UEFI=2E This gives you a modern EFI bootloader=
=2E
>Otherwise you end up in hellish and brittle legacy grub land where you
>definitely don't wanna be=2E
>
>- Use GParted on the live boot ISO to create 3 partitions: 512 MiB
>fat32,
>4096 MiB fat32, and the remainder as "filesystem: unformatted" (it's a
>choice in the GParted dropdown)=2E
>
>- Open a Terminal in the live boot ISO and type all of these commands
>(adjust the nvme0n1p3 to whatever your own partition is named):
># Get device name for the "unformatted" partition, in my case
>/dev/nvme0n1p3:
>fdisk -l
>
># Ensure that the encrypted payload is aligned to a 1 MiB (2048 * 512
>byte
>sectors) boundary:
>cryptsetup --key-size 256 --type luks2 --sector-size 4096
>--align-payload
>2048 luksFormat /dev/nvme0n1p3
>
># Open the LUKS volume and permanently mark it as "allow discards
>(TRIM) so
>that it always opens like that by default, for SSD health purposes:
>cryptsetup --allow-discards --persistent open /dev/nvme0n1p3 cryptdata
>
># Create the LVM volume metadata and enforce "start of payload"
>alignment
>at the nearest 1 MiB boundary after the metadata (by default this means
>the
>payload starts at 1 MiB):
>pvcreate -ffy --metadatatype lvm2 --dataalignment 1m
>--dataalignmentoffset
>0 /dev/mapper/cryptdata
>
># Create the LVM volume group and force it to divide the volume into
>aligned 4 MiB chunks (this is the default, but enforcing it just to be
>sure):
>vgcreate -ffy --physicalextentsize 4m data /dev/mapper/cryptdata
>
># Create a LVM logical volume using all of the space:
>lvcreate -y --name root --extents 100%FREE data
>
># Format as ext4 with 4096 byte (4 KiB) block size:
>mkfs=2Eext4 -F -b 4096 /dev/mapper/data-root
>
># Close the devices=2E
>vgchange --activate n data
>cryptsetup close cryptdata
>
>- Now close the Terminal and go back to the Pop!_OS installer window,
>and
>proceed until it lets you pick "Custom Install"=2E Pick that option=2E (D=
o
>not
>click the "Unlock partition banner at the top of the window=2E)
>
>- You will be brought to an overview of your partitions=2E Click the
>small
>512 MiB fat32 and say "Use as: /boot/efi"=2E Click the 4096 MiB fat32 and
>say
>"Use as: Custom=2E Custom path: /recovery"=2E And lastly, click on the
>large
>partition and it will ask you about your password, so type your
>password to
>unlock it=2E Then click the large ext4 partition that appears and choose
>"Use
>as: Root (/)"=2E
>
>- Now just proceed with the installation and it will automatically set
>up
>an encrypted full-disk bootloader with your custom partitions=2E
>
>
>Take care and have fun!
>
>-- Johny

Much thanks to everyone who replied=2E Your answers were much better than =
my question=2E From those answers it's abundantly apparent that I need to s=
tudy a bit more on a few issues, like the boot processes and other things b=
efore I'll be able to make intelligent decisions=2E I used to understand th=
e boot process fairly well, but that was before quite a bit was changed=2E

Also, I can't reply to e-mails the way I'm accustomed to and the way I'd l=
ike to because I don't have an actual Linux system for that, rather I'm for=
ced to make do with a phone for the time being=2E Not optimal at all=2E

Thanks again for all the great replies=2E

------QS51IE519LERUJCC6PAA9VLK1R31GS
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head></head><body><div class=3D"gmail_quote">On March 22, 2021 4:43:=
59 PM UTC, Johnny Dahlberg &lt;svartchimpans@gmail=2Ecom&gt; wrote:<blockqu=
ote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0=2E8ex; border-left=
: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div dir=3D"ltr"><div dir=3D"ltr"><div><br></div></div><br><div class=3D"g=
mail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sun, 21 Mar 2021 at 17=
:20, ken &lt;<a href=3D"mailto:gebser@mousecar=2Ecom">gebser@mousecar=2Ecom=
</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0=2E8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
">A new laptop is on the way and I'm considering using dm-crypt 2 secure th=
e whole SSD=2E I have some basic questions though=2E<br>
<br>
Is it possible to encrypt the entire Drive, including all the system files=
?<br>
_______________________________________________<br>
dm-crypt mailing list -- <a href=3D"mailto:dm-crypt@saout=2Ede" target=3D"=
_blank">dm-crypt@saout=2Ede</a><br>
To unsubscribe send an email to <a href=3D"mailto:dm-crypt-leave@saout=2Ed=
e" target=3D"_blank">dm-crypt-leave@saout=2Ede</a></blockquote><div><br>Yes=
, you can do this extremely easily in distributions that support it=2E<br>W=
hat does "it" mean? Well, simply: Placing the kernel and bootloader on an E=
FI /boot/efi partition and using that as a bootstrap to decrypt the main pa=
rtition=2E And auto-updating it every time the main system kernel is update=
d=2E<br>I highly recommend my favorite Linux distro, which handles all of t=
hat automatically and asks if you want Full Disk Encryption during install:=
 <a href=3D"https://pop=2Esystem76=2Ecom/">https://pop=2Esystem76=2Ecom/</a=
><br><br>However, it only asks you if you want disk encryption if you do a =
full "clean install: wipe the disk and auto-partition" setup=2E<br><br>Perh=
aps that's enough for you? In that case, just go ahead and install it and y=
ou're done! Very quick and easy=2E<br><br>You can also MANUALLY set up smal=
ler/custom partitions though (such as if you don't want to use an entire di=
sk for this distro)=2E I'll guide you through all of the steps:<br><br>- Be=
 sure that you download Pop!_OS 20=2E10 ISO v12 or later=2E The revision is=
 trailing the filename, such as "pop-os_20=2E10_amd64_nvidia_12=2Eiso" mean=
ing the 12th ISO=2E This is necessary because v12 (or later) enhanced the i=
nstaller to support custom encrypted partitions=2E Furthermore, I recommend=
 getting the NVIDIA iso if you have (or will ever have) an NVIDIA GPU in yo=
ur system, because that ISO makes it seamless to connect NVIDIA GPUs=2E<br>=
<br>- Ensure that your partitioning table is GPT (not MBR)=2E And that your=
 computer is booting with UEFI=2E This gives you a modern EFI bootloader=2E=
 Otherwise you end up in hellish and brittle legacy grub land where you def=
initely don't wanna be=2E<br><br>- Use GParted on the live boot ISO to crea=
te 3 partitions: 512 MiB fat32, 4096 MiB fat32, and the remainder as "files=
ystem: unformatted" (it's a choice in the GParted dropdown)=2E<br><br>- Ope=
n a Terminal in the live boot ISO and type all of these commands (adjust th=
e nvme0n1p3 to whatever your own partition is named):<br># Get device name =
for the "unformatted" partition, in my case /dev/nvme0n1p3: &nbsp;<br>fdisk=
 -l<br><br># Ensure that the encrypted payload is aligned to a 1 MiB (2048 =
* 512 byte sectors) boundary:<br>cryptsetup --key-size 256 --type luks2 --s=
ector-size 4096 --align-payload 2048 luksFormat /dev/nvme0n1p3<br><br># Ope=
n the LUKS volume and permanently mark it as "allow discards (TRIM) so that=
 it always opens like that by default, for SSD health purposes:<br>cryptset=
up --allow-discards --persistent open /dev/nvme0n1p3 cryptdata<br><br># Cre=
ate the LVM volume metadata and enforce "start of payload" alignment at the=
 nearest 1 MiB boundary after the metadata (by default this means the paylo=
ad starts at 1 MiB):<br>pvcreate -ffy --metadatatype lvm2 --dataalignment 1=
m --dataalignmentoffset 0 /dev/mapper/cryptdata<br><br># Create the LVM vol=
ume group and force it to divide the volume into aligned 4 MiB chunks (this=
 is the default, but enforcing it just to be sure):<br>vgcreate -ffy --phys=
icalextentsize 4m data /dev/mapper/cryptdata<br><br># Create a LVM logical =
volume using all of the space:<br>lvcreate -y --name root --extents 100%FRE=
E data<br><br># Format as ext4 with 4096 byte (4 KiB) block size:<br>mkfs=
=2Eext4 -F -b 4096 /dev/mapper/data-root<br><br># Close the devices=2E<br>v=
gchange --activate n data<br>cryptsetup close cryptdata<br><br>- Now close =
the Terminal and go back to the Pop!_OS installer window, and proceed until=
 it lets you pick "Custom Install"=2E Pick that option=2E (Do not click the=
 "Unlock partition banner at the top of the window=2E)<br><br>- You will be=
 brought to an overview of your partitions=2E Click the small 512 MiB fat32=
 and say "Use as: /boot/efi"=2E Click the 4096 MiB fat32 and say "Use as: C=
ustom=2E Custom path: /recovery"=2E And lastly, click on the large partitio=
n and it will ask you about your password, so type your password to unlock =
it=2E Then click the large ext4 partition that appears and choose "Use as: =
Root (/)"=2E<br><br>- Now just proceed with the installation and it will au=
tomatically set up an encrypted full-disk bootloader with your custom parti=
tions=2E<br><br><br>Take care and have fun!<br><br>-- Johny&nbsp;</div></di=
v></div>
</blockquote></div><br clear=3D"all">Much thanks to everyone who replied=
=2E Your answers were much better than my question=2E From those answers it=
's abundantly apparent that I need to study a bit more on a few issues, lik=
e the boot processes and other things before I'll be able to make intellige=
nt decisions=2E I used to understand the boot process fairly well, but that=
 was before quite a bit was changed=2E<br><br>Also, I can't reply to e-mail=
s the way I'm accustomed to and the way I'd like to because I don't have an=
 actual Linux system for that, rather I'm forced to make do with a phone fo=
r the time being=2E Not optimal at all=2E<br><br>Thanks again for all the g=
reat replies=2E<br></body></html>
------QS51IE519LERUJCC6PAA9VLK1R31GS--

--===============0380439189792017209==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de

--===============0380439189792017209==--