From: Didier Spaier <didier@slint.fr>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Help wanted to set up full disk encryption using GRUB
Date: Thu, 14 Jan 2021 01:14:33 +0100 [thread overview]
Message-ID: <cd7c0e54-cc34-09c4-146d-09ec6a28e6a0@slint.fr> (raw)
In-Reply-To: <CAJN12jkCGMAZ3sSXfHT=bQTCkwW4MRC-6FERsmtk+fxXX3O5QQ@mail.gmail.com>
Thanks Martin. I am not running Arch but will try to adapt
this to Slint.
Cheers,
Didier
Le 14/01/2021 à 00:10, Martin Jørgensen a écrit :
> Hi,
>
> I've done this many times, however mostly on Arch Linux. Please see:
> https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice
>
> I've also done it on Debian once. About your "GRUB_ENABLE_CRYPTODISK=y".
> Yes, you should definately encrypt the boot-partition and then either
> the home/root-partition so yes, you need GRUB to understand an encrypted
> boot-partition - AFAIR you need LUKS1-encryption for the boot-partition
> (due to a limitation in GRUB) but you can use LUKS2-for the encrypted
> root/home, at least that's how I remember it - don't know if things
> changed since last time I checked (I think LUKS2 for GRUB will be
> implemented in near future if it hasn't already been)...
>
> The basic idea is (and I quote from the link): "While GRUB asks for a
> passphrase to unlock the LUKS1 encrypted partition after above
> instructions, the partition unlock is not passed on to the initramfs.
> Hence, you have to enter the passphrase twice at boot: once for GRUB and
> once for the initramfs.
>
> This section deals with extra configuration to let the system boot by
> only entering the passphrase once, in GRUB. This is accomplished by with
> a keyfile embedded in the initramfs
> <https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs>."
>
> So - the initramfs needs to be stored _*/inside/*_ the encrypted
> boot-partition so when you unlock it, you have the decrypted keyfiles,
> which are used to unlock/decrypt home/root-partition (you choose if you
> wish to encrypt only home or the hole root-partition). Then use
> /etc/crypttab to make the decrypted partition available to your
> linux-system, as it's booting up.
>
> If not on Arch, you'll have to figure out how to embed your keyfile in
> the initramfs, but follow more or less the same steps - at least that's
> how I do it every single time, I don't know any other way to accomplish
> this. Took me many hours the first time, googling, testing, write down
> every step you do so you can redo it again.
>
> Good luck.
>
>
> Br,
> Martin
>
> On Wed, Jan 13, 2021 at 10:43 PM Didier Spaier <didier@slint.fr
> <mailto:didier@slint.fr>> wrote:
>
> Hi,
>
> I maintain the Slint distribution (Slackware derivative
> internationalized and
> accessible to the blind).
>
> Our installer uses GRUB as boot manager and boot loader in both
> Legacy and
> EFI modes.
>
> To help beginners I have added the 'auto' mode to the Slint installer
> which in
> case of a drive dedicated to Slint sets up a very simple layout of
> the GPT:
> _A Bios Boot partition for booting GRUB in legacy mode
> _An EFI system partition
> _A root (/) partition
> _Optionally an additional partition (mount point suggested: /data)
> _No swap partition: the installer sets up a swap file and a swap space
> in zram.
>
> I would like that the 'auto' script offer an option for encrypting
> the whole
> drive if dedicated to Slint, using LUKS without relying on LVM to
> keep the
> drive's layout as simple as possible to be easily understood by a
> 74y old
> grand father. I do belong to this category :-)
>
> I assume that I will have to set GRUB_ENABLE_CRYPTODISK in
> /etc/default.grub.
>
> I would like that the user type the passphrase only once. We always
> use an
> initrd, built after having installed the kernel at time of installation,
> rebuilt at each kernel upgrade, so I can modify its set up as need be.
>
> I have tried to find on the Internet examples of settings matching this
> specification but didn't find one on the Wiki or on the Arch wiki, but
> these:
> https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html
> https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
> Although they do not exactly match my specifications and/or use tools I
> don't ship, if I have to I will take one of them as a basis.
>
> However I'd glad for help on how-to provides this "type the
> passphrase only
> once, don't modify the drive's layout and don't use LVM" feature, be
> it just
> answering this message or giving me pointers to relevant documents.
>
> Thanks in advance
> Dider Spaier, Paris, France
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de <mailto:dm-crypt@saout.de>
> https://www.saout.de/mailman/listinfo/dm-crypt
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
>
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt
prev parent reply other threads:[~2021-01-14 0:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-13 21:34 [dm-crypt] Help wanted to set up full disk encryption using GRUB Didier Spaier
2021-01-13 23:10 ` Martin Jørgensen
2021-01-14 0:14 ` Didier Spaier [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd7c0e54-cc34-09c4-146d-09ec6a28e6a0@slint.fr \
--to=didier@slint.fr \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).