Rootfs encryption

From Gentoo Wiki
Jump to:navigation Jump to:search
This page contains changes which are not marked for translation.
Other languages:

Encrypting the root filesystem can enhance privacy, and prevent unauthorized access.



cryptsetup is included in the livecd.
root #emerge --ask sys-fs/cryptsetup

System preparation

The kernel must be configured according to: Dm-crypt: Kernel Configuration.

This guide is designed to be followed as part of a fresh Gentoo install, the install procedure can be followed until the following step: AMD64 Handbook: Designing a partition scheme

Disk preparation

Partitioning typically does not involve modification of any of the data in partitions. If a drive is re-partitioned then encrypted, old data may remain in an unencrypted form until it is overwritten.
Modern storage devices may not be securely erased with something like dd if=/dev/urandom of=/dev/sdX. See Secure wipe for more information.

This example will use GPT as disk partition schema. fdisk will be used as the partitioning tool though any partitioning utility will work.

See also
For more information about GPT and EFI, see Disks (AMD64 Handbook).

Create disk partitions

A common setup for a basic system with a single drive may contain a partition for the boot files, and a partition for the system root.

 ├── /dev/nvme0n1p1 [EFI]       /boot      1 GB         fat32       Bootloader, bootloader support files, kernel and initramfs
 └── /dev/nvme0n1p2 [LUKS]      (crypt)    ->END        luks        encrypted partition
      └──  rootfs               /          ->END        btrfs       root partition

Create partitions

To create a partition layout using fdisk, start by creating a fresh partition table on the root disk:

root #fdisk /dev/nvme0n1
Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x81391dbc.
Command (m for help):g
Created a new GPT disklabel (GUID: 8D91A3C1-8661-2940-9076-65B815B36906).

With a GPT partition table created, the boot partition can be added using n:

Command (m for help):n
Partition number (1-128, default 1): 
First sector (2048-1953525134, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1953525134, default 1953523711): +1G
Created a new partition 1 of type 'Linux filesystem' and of size 1 GiB.

The ESP properties can be set using t:

Command (m for help):t
Selected partition 1
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

The root partition can be crated with:

Command (m for help):n
Partition number (1-128, default 2): 
First sector (1050624-1953525134, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-1953525134, default 1953523711):
Created a new partition 2 of type 'Linux filesystem' and of size 931 GiB.

Finally, the changes can be written with w:

Command (m for help):w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Create the LUKS encrypted partition

To prepare the encrypted filesystem, dm-crypt can be used:

To ensure the dm-crypt module is loaded, the following command can be used:
root #modprobe dm-crypt

The status of the module can be checked with:

user $lsmod | grep dm-crypt

To format the root partition using LUKS, secured with a passphrase:

root #cryptsetup luksFormat --key-size 512 /dev/nvme0n1p2
This will overwrite data on /dev/nvme0n1p2 irrevocably.
Are you sure? (Type 'yes' in capital letters): 
Enter passphrase for /dev/nvme0n1p2:

LUKS Header Backup

Do not forget this step, keys/passwords are used to decrypt the LUKS header, if it is destroyed for some reason, the remaining data will only be recoverable with the header file.

The headers can be backed up with:

root #cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file crypt_headers.img

Open the LUKS volume

The encrypted device must be opened and mapped before it can be used, this can be done with:

root #cryptsetup luksOpen /dev/nvme0n1p2 crypt
In this example, the volume is opened and mapped to /dev/mapper/crypt.

Format the Filesystems

Create a filesystem for /dev/nvme0n1p1, the boot partition which will contain bootloader and kernel files. This partition is read by UEFI. Most motherboards can read only a FAT32 filesystem:

root #mkfs.vfat -F32 /dev/nvme0n1p1

Next create root filesystem (in this example btrfs is used):

root #mkfs.btrfs -L rootfs /dev/mapper/crypt

Gentoo installation

If this procedure is being followed during a Gentoo install (in place of Handbook:AMD64/Full/Installation through Handbook:AMD64/Full/Installation), the following steps can be used to mount the created partition, to continue with the install.

Mount the root partition

The root file system can be mounted at this created location with:

root #mount LABEL=rootfs /mnt/gentoo

Finalizing the Gentoo install

The general install guide should apply. A few considerations must be made, the initial RAM filesystem must be built with support for decrypting the root partition, and the bootloader must be installed and configured.

At this point, the Gentoo install can be continued normally: Installing a stage tarball with a few considerations, listed below.

fstab configuration

The correct /etc/fstab file must be edited, if this is being done before chrooting, ensure the correct path is being used. More information exists in the filesystem portion of the install guide.

For consistent volume mounting, labels and UUIDs must be used.

Block devices and their associated partition IDs can be viewed with:

root #lsblk -o name,uuid
NAME        UUID
├─nvme0n1p1 BDF2-0139
└─nvme0n1p2 4bb45bd6-9ed9-44b3-b547-b411079f043b
  └─crypt   cb070f9e-da0e-4bc5-825c-b01bb2707704

With the partition UUIDs and labels identified, /etc/fstab can be edited to add relevant mounts:

FILE /mnt/gentoo/etc/fstab
# <fs>                                          <mountpoint>    <type>          <opts>          <dump/pass>
UUID=BDF2-0139                                  /boot           vfat            noauto,noatime  1 2
LABEL=rootfs                                    /               btrfs           defaults        0 1

Initramfs configuration

An initramfs must be used to decrypt and mount the root partition. This can be accomplished using Dracut, using parameters passed in the kernel command line.

This configuration should be done while chrooted, or on a live system.

The following modules must be added to the add_dracutmodules directive in /etc/dracut.conf:

FILE /etc/dracut.confMinimum required components to decrypt LUKS volumes using dracut
add_dracutmodules+=" crypt dm rootfs-block "
The spacing for Dracut configuration directives is very important. Ensure there are no spaces between add_dracutmodules and +=", parameters in add_dracutmodules must be padded with spaces.

Dracut can be configured to build with configuration for LUKS hardcoded, first disk information must be obtained:

root #lsblk -o name,uuid
NAME        UUID
└─sda1      BDF2-0139
└─nvme0n1p1 4bb45bd6-9ed9-44b3-b547-b411079f043b
  └─crypt   cb070f9e-da0e-4bc5-825c-b01bb2707704
FILE /etc/dracut.confEmbed cmdline parameters for rootfs decryption
kernel_cmdline+=" root=UUID=cb070f9e-da0e-4bc5-825c-b01bb2707704 rd.luks.uuid=4bb45bd6-9ed9-44b3-b547-b411079f043b "
If using GRUB, the root= parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT option in /etc/default/grub.
Embedding the root= option into the kernel commandline is required when using sys-boot/systemd-boot, but redundant when using GRUB's grub-mkconfig, which will automatically add that parameter.

If systemd is used as init-system, it should be compiled with cryptsetup USE-flag:

FILE /etc/portage/package.use/systemd
sys-apps/systemd cryptsetup

And rebuild systemd:

root #emerge --ask sys-apps/systemd

Once Dracut is configured, a new initramfs can be generated by running:

root #dracut
Dracut writes the file to /boot by default, this must be mounted.

If the initramfs is being generated for a kernel other than the currently active one, --kver must be used:

root #dracut --kver 6.1.28-gentoo

This can happen in a situation when the kernel version in the Gentoo Live CD differs from the emerged sys-kernel/gentoo-sources in the kernel compilation process.

Possible kernel versions can be found by using ls /lib/modules.

See also