* [dm-crypt] Help wanted to set up full disk encryption using GRUB @ 2021-01-13 21:34 Didier Spaier 2021-01-13 23:10 ` Martin Jørgensen 0 siblings, 1 reply; 3+ messages in thread From: Didier Spaier @ 2021-01-13 21:34 UTC (permalink / raw) To: dm-crypt Hi, I maintain the Slint distribution (Slackware derivative internationalized and accessible to the blind). Our installer uses GRUB as boot manager and boot loader in both Legacy and EFI modes. To help beginners I have added the 'auto' mode to the Slint installer which in case of a drive dedicated to Slint sets up a very simple layout of the GPT: _A Bios Boot partition for booting GRUB in legacy mode _An EFI system partition _A root (/) partition _Optionally an additional partition (mount point suggested: /data) _No swap partition: the installer sets up a swap file and a swap space in zram. I would like that the 'auto' script offer an option for encrypting the whole drive if dedicated to Slint, using LUKS without relying on LVM to keep the drive's layout as simple as possible to be easily understood by a 74y old grand father. I do belong to this category :-) I assume that I will have to set GRUB_ENABLE_CRYPTODISK in /etc/default.grub. I would like that the user type the passphrase only once. We always use an initrd, built after having installed the kernel at time of installation, rebuilt at each kernel upgrade, so I can modify its set up as need be. I have tried to find on the Internet examples of settings matching this specification but didn't find one on the Wiki or on the Arch wiki, but these: https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html Although they do not exactly match my specifications and/or use tools I don't ship, if I have to I will take one of them as a basis. However I'd glad for help on how-to provides this "type the passphrase only once, don't modify the drive's layout and don't use LVM" feature, be it just answering this message or giving me pointers to relevant documents. Thanks in advance Dider Spaier, Paris, France _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Help wanted to set up full disk encryption using GRUB 2021-01-13 21:34 [dm-crypt] Help wanted to set up full disk encryption using GRUB Didier Spaier @ 2021-01-13 23:10 ` Martin Jørgensen 2021-01-14 0:14 ` Didier Spaier 0 siblings, 1 reply; 3+ messages in thread From: Martin Jørgensen @ 2021-01-13 23:10 UTC (permalink / raw) To: Didier Spaier; +Cc: dm-crypt [-- Attachment #1.1: Type: text/plain, Size: 4262 bytes --] Hi, I've done this many times, however mostly on Arch Linux. Please see: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice I've also done it on Debian once. About your "GRUB_ENABLE_CRYPTODISK=y". Yes, you should definately encrypt the boot-partition and then either the home/root-partition so yes, you need GRUB to understand an encrypted boot-partition - AFAIR you need LUKS1-encryption for the boot-partition (due to a limitation in GRUB) but you can use LUKS2-for the encrypted root/home, at least that's how I remember it - don't know if things changed since last time I checked (I think LUKS2 for GRUB will be implemented in near future if it hasn't already been)... The basic idea is (and I quote from the link): "While GRUB asks for a passphrase to unlock the LUKS1 encrypted partition after above instructions, the partition unlock is not passed on to the initramfs. Hence, you have to enter the passphrase twice at boot: once for GRUB and once for the initramfs. This section deals with extra configuration to let the system boot by only entering the passphrase once, in GRUB. This is accomplished by with a keyfile embedded in the initramfs <https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs> ." So - the initramfs needs to be stored *inside* the encrypted boot-partition so when you unlock it, you have the decrypted keyfiles, which are used to unlock/decrypt home/root-partition (you choose if you wish to encrypt only home or the hole root-partition). Then use /etc/crypttab to make the decrypted partition available to your linux-system, as it's booting up. If not on Arch, you'll have to figure out how to embed your keyfile in the initramfs, but follow more or less the same steps - at least that's how I do it every single time, I don't know any other way to accomplish this. Took me many hours the first time, googling, testing, write down every step you do so you can redo it again. Good luck. Br, Martin On Wed, Jan 13, 2021 at 10:43 PM Didier Spaier <didier@slint.fr> wrote: > Hi, > > I maintain the Slint distribution (Slackware derivative > internationalized and > accessible to the blind). > > Our installer uses GRUB as boot manager and boot loader in both Legacy and > EFI modes. > > To help beginners I have added the 'auto' mode to the Slint installer > which in > case of a drive dedicated to Slint sets up a very simple layout of the GPT: > _A Bios Boot partition for booting GRUB in legacy mode > _An EFI system partition > _A root (/) partition > _Optionally an additional partition (mount point suggested: /data) > _No swap partition: the installer sets up a swap file and a swap space > in zram. > > I would like that the 'auto' script offer an option for encrypting the > whole > drive if dedicated to Slint, using LUKS without relying on LVM to keep the > drive's layout as simple as possible to be easily understood by a 74y old > grand father. I do belong to this category :-) > > I assume that I will have to set GRUB_ENABLE_CRYPTODISK in > /etc/default.grub. > > I would like that the user type the passphrase only once. We always use an > initrd, built after having installed the kernel at time of installation, > rebuilt at each kernel upgrade, so I can modify its set up as need be. > > I have tried to find on the Internet examples of settings matching this > specification but didn't find one on the Wiki or on the Arch wiki, but > these: > > https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html > https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html > Although they do not exactly match my specifications and/or use tools I > don't ship, if I have to I will take one of them as a basis. > > However I'd glad for help on how-to provides this "type the passphrase only > once, don't modify the drive's layout and don't use LVM" feature, be it > just > answering this message or giving me pointers to relevant documents. > > Thanks in advance > Dider Spaier, Paris, France > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt > [-- Attachment #1.2: Type: text/html, Size: 5881 bytes --] [-- Attachment #2: Type: text/plain, Size: 135 bytes --] _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Help wanted to set up full disk encryption using GRUB 2021-01-13 23:10 ` Martin Jørgensen @ 2021-01-14 0:14 ` Didier Spaier 0 siblings, 0 replies; 3+ messages in thread From: Didier Spaier @ 2021-01-14 0:14 UTC (permalink / raw) To: dm-crypt Thanks Martin. I am not running Arch but will try to adapt this to Slint. Cheers, Didier Le 14/01/2021 à 00:10, Martin Jørgensen a écrit : > Hi, > > I've done this many times, however mostly on Arch Linux. Please see: > https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice > > I've also done it on Debian once. About your "GRUB_ENABLE_CRYPTODISK=y". > Yes, you should definately encrypt the boot-partition and then either > the home/root-partition so yes, you need GRUB to understand an encrypted > boot-partition - AFAIR you need LUKS1-encryption for the boot-partition > (due to a limitation in GRUB) but you can use LUKS2-for the encrypted > root/home, at least that's how I remember it - don't know if things > changed since last time I checked (I think LUKS2 for GRUB will be > implemented in near future if it hasn't already been)... > > The basic idea is (and I quote from the link): "While GRUB asks for a > passphrase to unlock the LUKS1 encrypted partition after above > instructions, the partition unlock is not passed on to the initramfs. > Hence, you have to enter the passphrase twice at boot: once for GRUB and > once for the initramfs. > > This section deals with extra configuration to let the system boot by > only entering the passphrase once, in GRUB. This is accomplished by with > a keyfile embedded in the initramfs > <https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs>." > > So - the initramfs needs to be stored _*/inside/*_ the encrypted > boot-partition so when you unlock it, you have the decrypted keyfiles, > which are used to unlock/decrypt home/root-partition (you choose if you > wish to encrypt only home or the hole root-partition). Then use > /etc/crypttab to make the decrypted partition available to your > linux-system, as it's booting up. > > If not on Arch, you'll have to figure out how to embed your keyfile in > the initramfs, but follow more or less the same steps - at least that's > how I do it every single time, I don't know any other way to accomplish > this. Took me many hours the first time, googling, testing, write down > every step you do so you can redo it again. > > Good luck. > > > Br, > Martin > > On Wed, Jan 13, 2021 at 10:43 PM Didier Spaier <didier@slint.fr > <mailto:didier@slint.fr>> wrote: > > Hi, > > I maintain the Slint distribution (Slackware derivative > internationalized and > accessible to the blind). > > Our installer uses GRUB as boot manager and boot loader in both > Legacy and > EFI modes. > > To help beginners I have added the 'auto' mode to the Slint installer > which in > case of a drive dedicated to Slint sets up a very simple layout of > the GPT: > _A Bios Boot partition for booting GRUB in legacy mode > _An EFI system partition > _A root (/) partition > _Optionally an additional partition (mount point suggested: /data) > _No swap partition: the installer sets up a swap file and a swap space > in zram. > > I would like that the 'auto' script offer an option for encrypting > the whole > drive if dedicated to Slint, using LUKS without relying on LVM to > keep the > drive's layout as simple as possible to be easily understood by a > 74y old > grand father. I do belong to this category :-) > > I assume that I will have to set GRUB_ENABLE_CRYPTODISK in > /etc/default.grub. > > I would like that the user type the passphrase only once. We always > use an > initrd, built after having installed the kernel at time of installation, > rebuilt at each kernel upgrade, so I can modify its set up as need be. > > I have tried to find on the Internet examples of settings matching this > specification but didn't find one on the Wiki or on the Arch wiki, but > these: > https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html > https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html > Although they do not exactly match my specifications and/or use tools I > don't ship, if I have to I will take one of them as a basis. > > However I'd glad for help on how-to provides this "type the > passphrase only > once, don't modify the drive's layout and don't use LVM" feature, be > it just > answering this message or giving me pointers to relevant documents. > > Thanks in advance > Dider Spaier, Paris, France > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de <mailto:dm-crypt@saout.de> > https://www.saout.de/mailman/listinfo/dm-crypt > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > https://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@saout.de https://www.saout.de/mailman/listinfo/dm-crypt ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-14 0:15 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-13 21:34 [dm-crypt] Help wanted to set up full disk encryption using GRUB Didier Spaier 2021-01-13 23:10 ` Martin Jørgensen 2021-01-14 0:14 ` Didier Spaier
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).