Full Disk Encryption w/Encrypted Boot

From Void Linux Wiki
Revision as of 19:45, 28 August 2018 by Aedinius (talk | contribs) (For MBR Based Systems)
Jump to: navigation, search

For MBR Based Systems

Boot the live CD as normal and login.

Your drive's block device and other information may be different, so keep an eye out.

Create a single physical partition on the disk using `cfdisk`, marking it bootable. When done, `fdisk` output should look like this:

   # fdisk -l /dev/sda
   Disk /dev/sda: 48 GiB, 51539607552 bytes, 100663296 sectors
   Units: sectors of 1 * 512 = 512 bytes
   Sector size (logical/physical): 512 bytes / 512 bytes
   I/O size (minimum/optimal): 512 bytes / 512 bytes
   Disklabel type: dos
   Disk identifier: 0x4d532059
   Device     Boot Start       End   Sectors Size Id Type
   /dev/sda1  *     2048 100663295 100661248  48G 83 Linux

Configure the encrypted volume. Be sure to choose a strong password, and don't forget it!

   # cryptsetup luksFormat /dev/sda1
   This will overwrite data on /dev/sda1 irrevocably.
   Are you sure? (Type uppercase yes): YES
   Enter passphrase: 
   Verify passphrase: 

Once the volume is created, it needs to be opened. You can replace voidvm with any name you want.

   # cryptsetup luksOpen /dev/sda1 voidvm      
   Enter passphrase for /dev/sda1: 

Once the LUKS container is opened, create the LVM volume group using that partition.

   # vgcreate voidvm /dev/mapper/voidvm
     Volume group "voidvm" successfully created

You should now have an empty volume group named `voidvm`. Other instructions I've seen use different names for the encrypted volume and the volume group, but in my experience I haven't seen any issues.

For this system, I chose 10G for `/`, 2G for `swap`, and will assign the rest to `/home`. You can choose whatever values work for your system.

   # lvcreate --name root -L 10G voidvm
     Logical volume "root" created.
   # lvcreate --name swap -L 2G voidvm
     Logical volume "swap" created.
   # lvcreate --name home -l 100%FREE voidvm
     Logical volume "home" created.

Next, create the filesystems.

   # mkfs.xfs -L root /dev/voidvm/root       
   meta-data=/dev/voidvm/root       isize=512    agcount=4, agsize=655360 blks
   # mkfs.xfs -L home /dev/voidvm/home
   meta-data=/dev/voidvm/home       isize=512    agcount=4, agsize=2359040 blks
   mkswap /dev/voidvm/swap
   Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)

Now, we can setup the chroot and get the base system installed.

   # mount /dev/voidvm/root /mnt
   # for dir in dev proc sys; do
   > mkdir -p /mnt/$dir
   > mount --rbind /$dir /mnt/$dir
   > done
   # mkdir -p /mnt/home
   # mount /dev/voidvm/home /mnt/home

Before we enter the chroot to finish up configuration, we do the actual install.

   # xbps-install -Sy -R http://auto.voidlinux.org/current -r /mnt base-system lvm2 cryptsetup grub
   [*] Updating `http://auto.voidlinux.org/current/x86_64-repodata' ...
   x86_64-repodata: 1516KB [avg rate: 83KB/s]
   `http://auto.voidlinux.org/current' repository has been RSA signed by "Void Linux"
   Fingerprint: 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d
   Do you want to import this public key? [Y/n] y
   123 packages will be downloaded:

This part may take a while.

When it's done, we can enter the `chroot` and finish up the configuration.

   # chroot /mnt
   # chown root:root /
   # chmod 755 /
   # passwd root
   # echo voidvm > /etc/hostname
   # echo "LANG=en_US.UTF-8" > /etc/locale.conf
   # echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales
   # xbps-reconfigure -f glibc-locales

The next step is editing `/etc/fstab`, which will depend on how you configured and named your filesystems. For this example, the file should look like this:

   # <file system>	   <dir> <type>  <options>             <dump>  <pass>
   tmpfs             /tmp  tmpfs   defaults,nosuid,nodev 0       0
   /dev/voidvm/root  /     xfs     defaults              0       0
   /dev/voidvm/home  /home xfs     defaults              0       0
   /dev/voidvm/swap  swap  swap    defaults              0       0

Next, we need to configure `grub` to be able to unlock the filesystem.

   # cat >> /etc/default/grub <<END
   > END

In the same file, we need to tell the kernel where the crypto device is. First, find the UUID of the device.

   # lsblk -f
   NAME                 FSTYPE      LABEL UUID                                   MOUNTPOINT
   └─sda1               crypto_LUKS       135f3c06-26a0-437f-a05e-287b036440a4   
     └─voidvm        LVM2_member       gjOBNB-SXiK-qcGn-uHxp-ZdBZ-14wd-4FIL7p 
       ├─voidvm-root xfs         root  b4e4aa35-e819-42a4-bbfc-cdcd74f1df8a   /
       ├─voidvm-swap swap              1f8e9ca3-65bc-45b8-b7d0-6300587dfcf8   [SWAP]
       └─voidvm-home xfs         home  b6cedb19-d8f6-4629-8519-cd2e7279ec2c   /home

Edit the `GRUB_CMDLINE_LINUX_DEFAULT=` line in `/etc/default/grub` and add `rd.auto=1` and `cryptdevice=UUID=135f3c06-26a0-437f-a05e-287b036440a4:lvm`. Make sure the UUID matches from the output of your `lsblk` command from above.

And now to avoid having to enter the password twice on boot, we'll configure a (protected) key file.

   # dd bs=512 count=4 if=/dev/urandom of=/boot/volume.key
   4+0 records in
   4+0 records out
   2048 bytes (2.0 kB, 2.0 KiB) copied, 0.000421265 s, 4.9 MB/s
   # cryptsetup luksAddKey /dev/sda1 /boot/volume.key
   Enter any existing passphrase: 
   # chmod 000 /boot/volume.key
   # chmod -R g-rwx,o-rwx /boot

This keyfile will need to be added to the `crypttab`.

   # cat >> /etc/crypttab <<END
   > voidvm   /dev/sda1   /boot/volume.key   luks
   > END

And then the keyfile and `crypttab` need to be included in the initramfs.

   # cat >> /etc/dracut.conf.d/10-crypt.conf <<END
   > install_items+=" /boot/volume.key /etc/crypttab "
   > END

Now we can finish up the last few stages of installation.

   # grub-install /dev/sda
   # xbps-reconfigure -f linux4.17
   # ^D
   # reboot

The system should prompt for a password at the grub prompt, like so:

And then boot like a normal system from then on! From here on, you can finish the configuration of your system including user creation, environment installation, etc.


Only a few changes are necessary.

1. Physical partition should have a separate "EFI System" as vfat on /boot/efi

   # fdisk -l /dev/sda
   Disk /dev/sda: 48 GiB, 51539607552 bytes, 100663296 sectors
   Units: sectors of 1 * 512 = 512 bytes
   Sector size (logical/physical): 512 bytes / 512 bytes
   I/O size (minimum/optimal): 512 bytes / 512 bytes
   Disklabel type: gpt
   Disk identifier: EE4F2A1A-8E7F-48CA-B3D0-BD7A01F6D8A0
   Device      Start       End   Sectors  Size Type
   /dev/sda1    2048    264191    262144  128M EFI System
   /dev/sda2  264192 100663262 100399071 47.9G Linux filesystem

2. Initialize the volume, then mount the `/dev/sda1` as `/mnt/boot/efi`, after mounting `/dev/voidvm/root` at `/mnt`

   # mkdir -p /mnt/boot/efi
   # mkfs.vfat /dev/sda1
   # mount /dev/sda1 /mnt/boot/efi

3. Manual installation command should use EFI grub

   # xbps-install -Sy -R http://auto.voidlinux.org/current -r /mnt base-system cryptsetup grub-x86_64-efi lvm2

4. Don't forget the fstab entry for /boot/efi:

   /dev/sda1	/boot/efi	vfat	defaults	0	0

5. And all references to sda1 as the cryptdevice should of course be sda2.