[dm-crypt] Help wanted to set up full disk encryption using GRUB

[dm-crypt] Help wanted to set up full disk encryption using GRUB

[Didier Spaier]

Hi,

I maintain the Slint distribution (Slackware derivative 
internationalized and
accessible to the blind).

Our installer uses GRUB as boot manager and boot loader in both Legacy and
EFI modes.

To help beginners I have added the 'auto' mode to the Slint installer 
which in
case of a drive dedicated to Slint sets up a very simple layout of the GPT:
_A Bios Boot partition for booting GRUB in legacy mode
_An EFI system partition
_A root (/) partition
_Optionally an additional partition (mount point suggested: /data)
_No swap partition: the installer sets up a swap file and a swap space 
in zram.

I would like that the 'auto' script offer an option for encrypting the whole
drive if dedicated to Slint, using LUKS without relying on LVM to keep the
drive's layout as simple as possible to be easily understood by a 74y old
grand father. I do belong to this category :-)

I assume that I will have to set GRUB_ENABLE_CRYPTODISK in 
/etc/default.grub.

I would like that the user type the passphrase only once. We always use an
initrd, built after having installed the kernel at time of installation,
rebuilt at each kernel upgrade, so I can modify its set up as need be.

I have tried to find on the Internet examples of settings matching this
specification but didn't find one on the Wiki or on the Arch wiki, but 
these:
https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
Although they do not exactly match my specifications and/or use tools I
don't ship, if I have to I will take one of them as a basis.

However I'd glad for help on how-to provides this "type the passphrase only
once, don't modify the drive's layout and don't use LVM" feature, be it just
answering this message or giving me pointers to relevant documents.

Thanks in advance
Dider Spaier, Paris, France

_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt

Re: [dm-crypt] Help wanted to set up full disk encryption using GRUB

[Martin Jørgensen]

[-- Attachment #1.1: Type: text/plain, Size: 4262 bytes --]

Hi,

I've done this many times, however mostly on Arch Linux. Please see:
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice

I've also done it on Debian once. About your "GRUB_ENABLE_CRYPTODISK=y".
Yes, you should definately encrypt the boot-partition and then either the
home/root-partition so yes, you need GRUB to understand an encrypted
boot-partition - AFAIR you need LUKS1-encryption for the boot-partition
(due to a limitation in GRUB) but you can use LUKS2-for the encrypted
root/home, at least that's how I remember it - don't know if things changed
since last time I checked (I think LUKS2 for GRUB will be implemented in
near future if it hasn't already been)...

The basic idea is (and I quote from the link): "While GRUB asks for a
passphrase to unlock the LUKS1 encrypted partition after above
instructions, the partition unlock is not passed on to the initramfs.
Hence, you have to enter the passphrase twice at boot: once for GRUB and
once for the initramfs.

This section deals with extra configuration to let the system boot by only
entering the passphrase once, in GRUB. This is accomplished by with a
keyfile embedded in the initramfs
<https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs>
."
So - the initramfs needs to be stored *inside* the encrypted boot-partition
so when you unlock it, you have the decrypted keyfiles, which are used to
unlock/decrypt home/root-partition (you choose if you wish to encrypt only
home or the hole root-partition). Then use /etc/crypttab to make the
decrypted partition available to your linux-system, as it's booting up.

If not on Arch, you'll have to figure out how to embed your keyfile in the
initramfs, but follow more or less the same steps - at least that's how I
do it every single time, I don't know any other way to accomplish this.
Took me many hours the first time, googling, testing, write down every step
you do so you can redo it again.

Good luck.


Br,
Martin

On Wed, Jan 13, 2021 at 10:43 PM Didier Spaier <didier@slint.fr> wrote:

> Hi,
>
> I maintain the Slint distribution (Slackware derivative
> internationalized and
> accessible to the blind).
>
> Our installer uses GRUB as boot manager and boot loader in both Legacy and
> EFI modes.
>
> To help beginners I have added the 'auto' mode to the Slint installer
> which in
> case of a drive dedicated to Slint sets up a very simple layout of the GPT:
> _A Bios Boot partition for booting GRUB in legacy mode
> _An EFI system partition
> _A root (/) partition
> _Optionally an additional partition (mount point suggested: /data)
> _No swap partition: the installer sets up a swap file and a swap space
> in zram.
>
> I would like that the 'auto' script offer an option for encrypting the
> whole
> drive if dedicated to Slint, using LUKS without relying on LVM to keep the
> drive's layout as simple as possible to be easily understood by a 74y old
> grand father. I do belong to this category :-)
>
> I assume that I will have to set GRUB_ENABLE_CRYPTODISK in
> /etc/default.grub.
>
> I would like that the user type the passphrase only once. We always use an
> initrd, built after having installed the kernel at time of installation,
> rebuilt at each kernel upgrade, so I can modify its set up as need be.
>
> I have tried to find on the Internet examples of settings matching this
> specification but didn't find one on the Wiki or on the Arch wiki, but
> these:
>
> https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html
> https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
> Although they do not exactly match my specifications and/or use tools I
> don't ship, if I have to I will take one of them as a basis.
>
> However I'd glad for help on how-to provides this "type the passphrase only
> once, don't modify the drive's layout and don't use LVM" feature, be it
> just
> answering this message or giving me pointers to relevant documents.
>
> Thanks in advance
> Dider Spaier, Paris, France
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
>

[-- Attachment #1.2: Type: text/html, Size: 5881 bytes --]

[-- Attachment #2: Type: text/plain, Size: 135 bytes --]

_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt

Re: [dm-crypt] Help wanted to set up full disk encryption using GRUB

[Didier Spaier]

Thanks Martin. I am not running Arch but will try to adapt
this to Slint.
Cheers,
Didier

Le 14/01/2021 à 00:10, Martin Jørgensen a écrit :
> Hi,
> 
> I've done this many times, however mostly on Arch Linux. Please see: 
> https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice
> 
> I've also done it on Debian once. About your "GRUB_ENABLE_CRYPTODISK=y". 
> Yes, you should definately encrypt the boot-partition and then either 
> the home/root-partition so yes, you need GRUB to understand an encrypted 
> boot-partition - AFAIR you need LUKS1-encryption for the boot-partition 
> (due to a limitation in GRUB) but you can use LUKS2-for the encrypted 
> root/home, at least that's how I remember it - don't know if things 
> changed since last time I checked (I think LUKS2 for GRUB will be 
> implemented in near future if it hasn't already been)...
> 
> The basic idea is (and I quote from the link): "While GRUB asks for a 
> passphrase to unlock the LUKS1 encrypted partition after above 
> instructions, the partition unlock is not passed on to the initramfs. 
> Hence, you have to enter the passphrase twice at boot: once for GRUB and 
> once for the initramfs.
> 
> This section deals with extra configuration to let the system boot by 
> only entering the passphrase once, in GRUB. This is accomplished by with 
> a keyfile embedded in the initramfs 
> <https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs>."
> 
> So - the initramfs needs to be stored _*/inside/*_ the encrypted 
> boot-partition so when you unlock it, you have the decrypted keyfiles, 
> which are used to unlock/decrypt home/root-partition (you choose if you 
> wish to encrypt only home or the hole root-partition). Then use 
> /etc/crypttab to make the decrypted partition available to your 
> linux-system, as it's booting up.
> 
> If not on Arch, you'll have to figure out how to embed your keyfile in 
> the initramfs, but follow more or less the same steps - at least that's 
> how I do it every single time, I don't know any other way to accomplish 
> this. Took me many hours the first time, googling, testing, write down 
> every step you do so you can redo it again.
> 
> Good luck.
> 
> 
> Br,
> Martin
> 
> On Wed, Jan 13, 2021 at 10:43 PM Didier Spaier <didier@slint.fr 
> <mailto:didier@slint.fr>> wrote:
> 
>     Hi,
> 
>     I maintain the Slint distribution (Slackware derivative
>     internationalized and
>     accessible to the blind).
> 
>     Our installer uses GRUB as boot manager and boot loader in both
>     Legacy and
>     EFI modes.
> 
>     To help beginners I have added the 'auto' mode to the Slint installer
>     which in
>     case of a drive dedicated to Slint sets up a very simple layout of
>     the GPT:
>     _A Bios Boot partition for booting GRUB in legacy mode
>     _An EFI system partition
>     _A root (/) partition
>     _Optionally an additional partition (mount point suggested: /data)
>     _No swap partition: the installer sets up a swap file and a swap space
>     in zram.
> 
>     I would like that the 'auto' script offer an option for encrypting
>     the whole
>     drive if dedicated to Slint, using LUKS without relying on LVM to
>     keep the
>     drive's layout as simple as possible to be easily understood by a
>     74y old
>     grand father. I do belong to this category :-)
> 
>     I assume that I will have to set GRUB_ENABLE_CRYPTODISK in
>     /etc/default.grub.
> 
>     I would like that the user type the passphrase only once. We always
>     use an
>     initrd, built after having installed the kernel at time of installation,
>     rebuilt at each kernel upgrade, so I can modify its set up as need be.
> 
>     I have tried to find on the Internet examples of settings matching this
>     specification but didn't find one on the Wiki or on the Arch wiki, but
>     these:
>     https://unixsheikh.com/tutorials/real-full-disk-encryption-using-grub-on-void-linux-for-bios.html
>     https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
>     Although they do not exactly match my specifications and/or use tools I
>     don't ship, if I have to I will take one of them as a basis.
> 
>     However I'd glad for help on how-to provides this "type the
>     passphrase only
>     once, don't modify the drive's layout and don't use LVM" feature, be
>     it just
>     answering this message or giving me pointers to relevant documents.
> 
>     Thanks in advance
>     Dider Spaier, Paris, France
> 
>     _______________________________________________
>     dm-crypt mailing list
>     dm-crypt@saout.de <mailto:dm-crypt@saout.de>
>     https://www.saout.de/mailman/listinfo/dm-crypt
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
> 
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt