Full Disk Encryption w/Encrypted Boot

From Void Linux Wiki
Revision as of 20:13, 1 September 2019 by Aedinius (talk | contribs) (Remove sparse instructions; clarify filesystem choices.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

For MBR Based Systems

Boot the live CD as normal and login.

Your drive's block device and other information may be different, so keep an eye out.

Create a single physical partition on the disk using `cfdisk`, marking it bootable. When done, `fdisk` output should look like this:


   # fdisk -l /dev/sda
   Disk /dev/sda: 48 GiB, 51539607552 bytes, 100663296 sectors
   Units: sectors of 1 * 512 = 512 bytes
   Sector size (logical/physical): 512 bytes / 512 bytes
   I/O size (minimum/optimal): 512 bytes / 512 bytes
   Disklabel type: dos
   Disk identifier: 0x4d532059
   
   Device     Boot Start       End   Sectors Size Id Type
   /dev/sda1  *     2048 100663295 100661248  48G 83 Linux
NOTE: `cryptsetup` currently defaults to v2 of the LUKS header. `grub` only supports LUKS1. Be sure when creating the luks partition that luks1 is specified, or else grub will not be able to unlock the partition on boot.

Configure the encrypted volume. Be sure to choose a strong password, and don't forget it!

   # cryptsetup luksFormat --type luks1 /dev/sda1
   
   WARNING!
   ========
   This will overwrite data on /dev/sda1 irrevocably.
   
   Are you sure? (Type uppercase yes): YES
   Enter passphrase: 
   Verify passphrase: 


Once the volume is created, it needs to be opened. You can replace voidvm with any name you want.


   # cryptsetup luksOpen /dev/sda1 voidvm      
   Enter passphrase for /dev/sda1: 

Once the LUKS container is opened, create the LVM volume group using that partition.

   # vgcreate voidvm /dev/mapper/voidvm
     Volume group "voidvm" successfully created

You should now have an empty volume group named `voidvm`. Other instructions I've seen use different names for the encrypted volume and the volume group, but in my experience I haven't seen any issues.

For this system, I chose 10G for `/`, 2G for `swap`, and will assign the rest to `/home`. You can choose whatever values work for your system.

   # lvcreate --name root -L 10G voidvm
     Logical volume "root" created.
   # lvcreate --name swap -L 2G voidvm
     Logical volume "swap" created.
   # lvcreate --name home -l 100%FREE voidvm
     Logical volume "home" created.

Next, create the filesystems.

NOTE: XFS is just a personal preference. Any filesystem supported by grub2 should work.
   # mkfs.xfs -L root /dev/voidvm/root       
   meta-data=/dev/voidvm/root       isize=512    agcount=4, agsize=655360 blks
   ...
   # mkfs.xfs -L home /dev/voidvm/home
   meta-data=/dev/voidvm/home       isize=512    agcount=4, agsize=2359040 blks
   ...
   mkswap /dev/voidvm/swap
   Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)

Now, we can setup the chroot and get the base system installed.

   # mount /dev/voidvm/root /mnt
   # for dir in dev proc sys run; do
   > mkdir -p /mnt/$dir
   > mount --rbind /$dir /mnt/$dir
   > done
   # mkdir -p /mnt/home
   # mount /dev/voidvm/home /mnt/home

Before we enter the chroot to finish up configuration, we do the actual install.

   # xbps-install -Sy -R http://alpha.de.repo.voidlinux.org/current -r /mnt base-system lvm2 cryptsetup grub
   [*] Updating `http://alpha.de.repo.voidlinux.org/current/x86_64-repodata' ...
   x86_64-repodata: 1516KB [avg rate: 83KB/s]
   `http://alpha.de.repo.voidlinux.org/current' repository has been RSA signed by "Void Linux"
   Fingerprint: 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d
   Do you want to import this public key? [Y/n] y
   123 packages will be downloaded:
   ...

This part may take a while.

When it's done, we can enter the `chroot` and finish up the configuration.

   # chroot /mnt
   # chown root:root /
   # chmod 755 /
   # passwd root
   # echo voidvm > /etc/hostname
   # echo "LANG=en_US.UTF-8" > /etc/locale.conf
   # echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales
   # xbps-reconfigure -f glibc-locales

The next step is editing `/etc/fstab`, which will depend on how you configured and named your filesystems. For this example, the file should look like this:

   # <file system>	   <dir> <type>  <options>             <dump>  <pass>
   tmpfs             /tmp  tmpfs   defaults,nosuid,nodev 0       0
   /dev/voidvm/root  /     xfs     defaults              0       0
   /dev/voidvm/home  /home xfs     defaults              0       0
   /dev/voidvm/swap  swap  swap    defaults              0       0

Next, we need to configure `grub` to be able to unlock the filesystem.

   # cat >> /etc/default/grub <<END
   > GRUB_ENABLE_CRYPTODISK=y
   > END

In the same file, we need to tell the kernel where the crypto device is. First, find the UUID of the device.

   # lsblk -f
   NAME                 FSTYPE      LABEL UUID                                   MOUNTPOINT
   sda                                                                           
   └─sda1               crypto_LUKS       135f3c06-26a0-437f-a05e-287b036440a4   
     └─voidvm        LVM2_member       gjOBNB-SXiK-qcGn-uHxp-ZdBZ-14wd-4FIL7p 
       ├─voidvm-root xfs         root  b4e4aa35-e819-42a4-bbfc-cdcd74f1df8a   /
       ├─voidvm-swap swap              1f8e9ca3-65bc-45b8-b7d0-6300587dfcf8   [SWAP]
       └─voidvm-home xfs         home  b6cedb19-d8f6-4629-8519-cd2e7279ec2c   /home
   sr0                                                                           


Edit the `GRUB_CMDLINE_LINUX_DEFAULT=` line in `/etc/default/grub` to tell the system to automatically configure any dm-raid/dm-crypt devices. Make sure the UUID matches from the output of your `lsblk` command from above.

   # sed -i '/GRUB_CMDLINE_LINUX_DEFAULT=/s/"$/ rd.auto=1 cryptdevice=UUID=135f3c06-26a0-437f-a05e-287b036440a4:lvm&/' /etc/default/grub

And now to avoid having to enter the password twice on boot, we'll configure a (protected) key file.

   # dd bs=512 count=4 if=/dev/urandom of=/boot/volume.key
   4+0 records in
   4+0 records out
   2048 bytes (2.0 kB, 2.0 KiB) copied, 0.000421265 s, 4.9 MB/s
   # cryptsetup luksAddKey /dev/sda1 /boot/volume.key
   Enter any existing passphrase: 
   # chmod 000 /boot/volume.key
   # chmod -R g-rwx,o-rwx /boot

This keyfile will need to be added to the `crypttab`.

   # cat >> /etc/crypttab <<END
   > voidvm   /dev/sda1   /boot/volume.key   luks
   > END

And then the keyfile and `crypttab` need to be included in the initramfs.

   # cat >> /etc/dracut.conf.d/10-crypt.conf <<END
   > install_items+=" /boot/volume.key /etc/crypttab "
   > END

Now we can finish up the last few stages of installation.

   # grub-install /dev/sda
   # xbps-reconfigure -f linux4.17
   # ^D
   # reboot

The system should prompt for a password at the grub prompt, like so:

And then boot like a normal system from then on! From here on, you can finish the configuration of your system including user creation, environment installation, etc.

For EFI/UEFI

Only a few changes are necessary.

1. Physical partition should have a separate "EFI System" as vfat on /boot/efi

   # fdisk -l /dev/sda
   Disk /dev/sda: 48 GiB, 51539607552 bytes, 100663296 sectors
   Units: sectors of 1 * 512 = 512 bytes
   Sector size (logical/physical): 512 bytes / 512 bytes
   I/O size (minimum/optimal): 512 bytes / 512 bytes
   Disklabel type: gpt
   Disk identifier: EE4F2A1A-8E7F-48CA-B3D0-BD7A01F6D8A0
   
   Device      Start       End   Sectors  Size Type
   /dev/sda1    2048    264191    262144  128M EFI System
   /dev/sda2  264192 100663262 100399071 47.9G Linux filesystem

2. Initialize the volume, then mount the `/dev/sda1` as `/mnt/boot/efi`, after mounting `/dev/voidvm/root` at `/mnt`

   # mkdir -p /mnt/boot/efi
   # mkfs.vfat /dev/sda1
   # mount /dev/sda1 /mnt/boot/efi

3. Manual installation command should use EFI grub

   # xbps-install -Sy -R http://alpha.de.repo.voidlinux.org/current -r /mnt base-system cryptsetup grub-x86_64-efi lvm2

4. Don't forget the fstab entry for /boot/efi:

   /dev/sda1	/boot/efi	vfat	defaults	0	0

5. And all references to sda1 as the cryptdevice should of course be sda2.