From: Didier Spaier <didier@slint.fr>
To: dm-crypt@saout.de
Subject: [dm-crypt] Re: Using dm-crypt: whole disk encryption
Date: Tue, 23 Mar 2021 00:50:04 +0100 [thread overview]
Message-ID: <09a3e2ea-e1f6-3313-ae93-af89c489fafc@slint.fr> (raw)
In-Reply-To: <CA+3G=9iX7HgO2Q09As7exwmfGpdddzj_aN5y5hJ0f30ja-SQkQ@mail.gmail.com>
Le 22/03/2021 à 17:43, Johnny Dahlberg a écrit :
> On Sun, 21 Mar 2021 at 17:20, ken <gebser@mousecar.com
> <mailto:gebser@mousecar.com>> wrote:
>
> A new laptop is on the way and I'm considering using dm-crypt 2
> secure the whole SSD. I have some basic questions though.
>
> Is it possible to encrypt the entire Drive, including all the system
> files?
> Yes, you can do this extremely easily in distributions that support it.
> What does "it" mean? Well, simply: Placing the kernel and bootloader on
> an EFI /boot/efi partition and using that as a bootstrap to decrypt the
> main partition. And auto-updating it every time the main system kernel
> is updated.
> I highly recommend my favorite Linux distro, which handles all of that
> automatically and asks if you want Full Disk Encryption during install:
> https://pop.system76.com/
Well Slint can do that as well in 'Auto' mode, with a simpler layout:
1. A BiosBoot partition # For GRUB to boot in Legacy mode
2. An ESP # Contains only the EFI OS loader
3. A partition for /, encrypted
4. Optionally an additional partition, encrypted
No LVM, the LUKS passphrase is asked by GRUB before displaying its menu,
then loads the kernel and the initrd, which includes a LUKS key used to
unlock /, also stored in /etc/keys
Another LUKS key stored in /etc/keys allows then to unlock /data.
when the kernel is updated, the key used to unlock / is copied in the
new initrd.
As an aside, instead of a swap partition a small swap file is set up,
as well as a swap space in zram with a higher priority.
Out of curiosity I installed pop-os in a Qemu VM. I think it would be
fair to mention on the website that it's based on Ubuntu. I don't
like GNOME, but that's just a personal taste ;)
Slint's website: https://slint.fr
Main server: http://slackware.uk/slint/x86_64/slint-14.2.1/
Best regards,
Didier
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de
next prev parent reply other threads:[~2021-03-22 23:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-21 16:13 [dm-crypt] Using dm-crypt: whole disk encryption ken
2021-03-22 3:57 ` [dm-crypt] " Arno Wagner
2021-03-22 20:35 ` [dm-crypt] What to encrypt and why (was: " ken
2021-03-22 20:50 ` [dm-crypt] " Johnny Dahlberg
2021-03-22 21:25 ` Maksim Fomin
2021-03-22 21:58 ` Johnny Dahlberg
2021-03-23 4:00 ` Maksim Fomin
2021-03-22 16:43 ` [dm-crypt] " Johnny Dahlberg
2021-03-22 23:50 ` Didier Spaier [this message]
2021-03-23 22:43 ` Johnny Dahlberg
2021-03-24 21:14 ` ken
2021-03-22 21:01 ` [dm-crypt] " Maksim Fomin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=09a3e2ea-e1f6-3313-ae93-af89c489fafc@slint.fr \
--to=didier@slint.fr \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).