Talk:Full Disk Encryption From Scratch

From Gentoo Wiki
Jump to:navigation Jump to:search
Before creating a discussion or leaving a comment, please read about using talk pages. In particular, sign comments using ~~~~ and add new discussions at the bottom of the page. New discussions should be made visible with {{Talk|date = 2024-05-18}}.
== Discussion title ==

{{Talk|date = 2024-05-13}}

A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC)
: A reply [[User:Sally|Sally]] 11:29, 14 May 2024 (UTC)
:: Another reply [[User:Larry|Larry]] 17:07, 18 May 2024 (UTC)
:: Your reply ~~~~

Navigate to first:

Swap partition

Talk status
This discussion is done.

The article does not consider the creation of the swap partition. --Mimosinnet 06:59, 3 March 2018 (UTC)

I never used encryption for swap, so I can't add information how to do it. Maybe, someone from community can add such info. P.S. For laptop - suspend to RAM are pretty enough, for desktop - same. If I haven't enough RAM to do something (compilation of libreoffice) -> then temporary swap file on encrypted partition are enought. -- Feniksa 18:00, 4 March 2018 (UTC)

I have found that this article covers the encrypted swap and hibernation


-- citizenkepler 17:24, 3 October 2018 (UTC)

cryptsetup command

Talk status
This discussion is done.

The article suggests the command:

root@localhost #cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s /dev/sdX3

The key size in bits should follow the -s flag. Therefore, the previous command does not work. What about:

root@localhost #cryptsetup -s 512 luksFormat /dev/sdX3

--Mimosinnet 08:45, 15 March 2018 (UTC)

Completed in a previous edit. --Grknight (talk) 02:15, 8 November 2018 (UTC)

grub needs device-mapper support

Talk status
This discussion is done.

As far as I know grub needs to be compiled with the device-mapper USE flag in order to support lvm. This should be mentioned somewhere.

root@localhost #echo "sys-boot/grub:2 device-mapper" >> /etc/portage/package.use/sys-boot

--weidenba 8:15, 2nd September 2018 (UTC)

Added, thanks. --Grknight (talk) 02:17, 8 November 2018 (UTC)

Some mistakes in article

Talk status
This discussion is still ongoing as of 7 August 2021.

You've done a couple of mistakes in here.. You're instructing to make a /dev/ssX1 partition of 2M using parted, but it never gets used.. The first thing is making a filesystem for it, your guide does not include it, also, it says that I should use the command "mount /boot" while it is after following this guide already mounted, it does not direct into mounting /boot/efi/ partition /dev/sdX1 for the EFI parts of a GRUB installation. There's no alternative for if the system does not support EFI (such as in if I had an older computer lying around) while the software works for encrypting an LVM volume by using dmcrypt) and grub-install, and that you might want to run a grub-install directly into the MBR (after the necessary modifications to the grub.cfg file) to make grub boot a legacy system, which is: grub-install /dev/sdX Optional: As this is supposed to be an encrypted disk, not really exactly necessary, but optional, to wipe the disk using a: dd if=/dev/urandom of=/dev/sdX or at least: dd if=/dev/urandom of=/dev/sdX3 (the encrypted LVM partition) after the partition has been unlocked or before formatting it and making any Volume Groups on it.. Other than that, this guide is good for installing a minimal Gentoo system, just see the first part, it makes no sense to use parted for a separate EFI partition which never gets formatted using the appropriate file system and the referral says to mount /boot while it's already mounted, do I not want to install grub efi files into something as such as /boot/efi (after /dev/sdX1 is mounted, you skipped this step), instead? Yes I do. And if I can't.. If I'm on a legacy system, I can still run: grub-install /dev/sdX to install grub into the MBR, or the system won't boot.. H4cr (talk) 00:14, 7 August 2021 (UTC)H4cr

A bit of formatting, e.g. list/ paragraphs would make it more readable. It is not my page but I often consult it and use it at least once every 3 months. Have a look at the Gentoo installation instructions or any basic partitioning guide regarding the 2M at the beginning. They're used for the bootloader and don't need a file system nor will this get every mounted.

Also mounting something more than once errors out with a message that it is already mounted (unless it is a tmpfs). And if you carefully look at /etc/fstab the options say noauto – don't mount after boot. This is essential if you want to play safe. Gentoo now complains in a lot of places if /boot is to be mounted prior to actions like installing linux firmware or kernel images. So basically after booting there'll be no partition holding /boot mounted – in a sane system. (MBR and /boot are two different things. BIOS starts GRUB2 from MBR which in turn hands over control to the appropriate kernel in /boot. That could be on any disk available to GRUB2, even a multitude of mixed IDE/ USB/ SATA drives – with os-prober to the rescue and 10 different non-Gentoo-Linux-flavors.)

And with or without EFI doesn't matter that much. I run both with different LVM-setups but all with GRUB2. You're absolutely free to add a section with non-UEFI-installation (that looks absolutely the same except the GRUB-install regarding efi-vars). I assume you're not using hardware that doesn't support GPT partition tables. (I remember it only vaguely that I ran a 15 year old mainboard with a MBR-formatted boot disk and put all the fancy stuff on another disk that was started through GRUB 2, Would be sufficient to boot into any recent LVM partition.)

And finally wiping the disk with dd is not the best solution for all types of drives. I personally own some NVMe boards that support cryptography on their own as well as safe erasing. Also SSDs don't want to be written like this. Some users also run RAID arrays for sensitive data that are quite large and will sync data across the array, e.g. a 5TByte RAID6. It doesn't make much sense to wipe such disks prior or after RAID formation since data is scattered all over the drives. So these are not mistakes but maybe the short guide lacks some context and completeness – intentionally thus have a look at the Gentoo Installation Guide. --Onkobu (talk) 20:13, 12 August 2021 (UTC)

Would like to second the first comment in this thread regarding the /dev/sdX1 "BIOS Boot" partition that is effectively unused. I just completed the process, and this partition is just completely zero (as it was when I created it). It looks like both parted and cfdisk already reserve some space at the beginning and end of the disk for the GPT (perhaps what was intended by that first partition?), and UEFI contains the boot program. May this be necessary for legacy/non-UEFI systems (if so, that should be in the documentation)? -- Kloepfer (talk) 20:40, 20 February 2023 (UTC)

Few more details for newbies?

Talk status
This is a good first discussion for new contributors as of 2024-05-18.

I recently got to this page because I needed full disc encryption for the first time after 15 years of using Gentoo Linux. It worked, so thanks a lot for this page! However, there were a few situations where it wasn't (immediately) clear to me what to do next. I'm guessing other newbies may find the same, so I want suggest a few clarifications here, rather than adding them to the page directly and getting them wrong.

  • Regarding Section 2: I have a single-user laptop and want /, /var and /home in a single root partition. Should I create the LVM with a single logical volume? Or do I not need the LVM at all? if the latter, should I jump to Section 13: Simple disk encryption (and then jump back to Section 6)? I wasn't not sure, so it would be nice to spend an introductory sentence on this.
  • Section 6 is called Gentoo installation, but would Preparing the Gentoo installation or Mounting the partitions be a better description of the contents?
  • In Section 8: fstab (and 10: Install Grub2), it was quite a puzzle to me which UUID should go where (fstab, grub) and which are not used at all. Perhaps a remark like the following would help get the needed overview:

Note that:

    • The UUIDs of /dev/sdb2 and /dev/mapper/vg0-* are required for fstab;
    • The UUID of /dev/sdb3 is required when installing grub later.
  • In Section 9: kernel, I had not compiled support for xz decompression into my kernel, and hence couldn't unzip my INITRAMFS. Is that something to point out here? E.g.
KERNEL xz decompression
--- General setup
    [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
    [*]   Support initial ramdisk/ramfs compressed using XZ

The note at the bottom of that section reads To build only initramfs:, but perhaps To build only initramfs with genkernel (and not the kernel and modules themselves): would be clearer.

  • In Section 10: grub, I think the last Note (LUKS passphrase, hidden prompt) refers to the boot process, not the current step, correct? If so, perhaps adding during boot to the first sentence would help to clarify this.
  • Section 11: Finalizing never mentions rebooting the system. Because the sections so far were steps in the general process, but the next sections are not (necessarily), perhaps adding a few steps would make this clearer, e.g.
(chroot) root@localhost:/#umount /boot
(chroot) root@localhost:/#exit # Leave chroot
root@localhost:/#umount -l /mnt/gentoo/dev{/shm,/pts,}
root@localhost:/#umount -R /mnt/gentoo

This would clarify to the user where we are in the general Gentoo installation, and also that the sections below are not (necessarily) additional steps in the same process.

  • Section 12: SSD mostly deals with Grub. Should it become Subsection 10.1?
  • Sectons 13-16 are not steps in the general process (except perhaps 15: automatic mount?). Should that be made clearer, e.g. using
    • 13 Alternative: Simple disk encryption w/o LVM
      • Could there be an opening sentence to explain when this is useful/desired?
  • Section 13: Simple encryption...: I'm not sure when I would need this instead of the steps above.
  • Section 15: Automatic mount ...: I'm not sure what this does. Booting and decrypting the disc without passphrase? Should that be stated in a first sentence? And if that is what this does, how is a disc that is automatically unencrypted at boot more secure than a disc that is not encrypted at all? (sorry, newbie ;-)) Perhaps then the Section 11: Finalizing should refer to this?

--AstroFloyd (talk) 14:13, 16 December 2022 (UTC)

Please feel free to make these additions.
If there are things you are unsure about, feel free to move them to a new discussion.
Waldo Lemmer 12:54, 18 May 2024 (UTC)

Few suggested edits

Talk status
This discussion is done as of 2024-05-18.

I tried setting up an encrypted root partition without lvm on two computers, one with OpenRC and one with Systemd. The OpenRC required adding an entry to the /etc/crypttab and also adding "root_trim=yes rd.luks.uuid=(uuid of the encrypted partition)" to /etc/default/grub in the GRUB_CMDLINE_LINUX.

In the Systemd the computer you need to make sure to compile systemd with the cryptsetup USE flag.

Ran.Rutenberg (talk) 01:49, 3 January 2023 (UTC)

Note that it is not OpenRC that uses crypttab or rd.luks, but it is the dracut initramfs. This could be for either OpenRC or systemd. --Grknight (talk) 19:45, 3 January 2023 (UTC)
You are right. The changes I had to make are a result of using dracut (because I use the distribution kernel) instead of genkernel. Ran.Rutenberg (talk) 20:39, 9 January 2023 (UTC)
Looks like these changes have been integrated in Special:Diff/1245394.
Waldo Lemmer 12:59, 18 May 2024 (UTC)

Potentially wrong module name?

Talk status
This discussion is done as of 2024-05-18.

I'm currently installing Gentoo from the official installation media and the article suggests checking if the dm-crypt module is loaded with lsmod | grep dm-crypt, but the module seems to be called dm_crypt (at least on my version of the installation media). The official Linux documentation also says the module is called dm-crypt and not dm_crypt. Very confusing and I'm not sure whose wrong here.

Mathis Winterer (talk) 15:22, 15 June 2023 (UTC)

I think either works:

user $modinfo dm-crypt
filename:       /lib/modules/6.5.9-gentoo-initramfs/kernel/drivers/md/dm-crypt.ko.xz
license:        GPL
description:    device-mapper target for transparent encryption / decryption
author:         Jana Saout <>
retpoline:      Y
intree:         Y
name:           dm_crypt
vermagic:       6.5.9-gentoo-initramfs SMP preempt mod_unload modversions RANDSTRUCT_6cfb8d0a3476f38045f255581c6ca2d59fc641b3c856fcb0603b75ce1a5b9620
sig_id:         PKCS#7
sig_hashalgo:   unknown

Zen desu (talk) 17:00, 5 November 2023 (UTC)


note that for convenience, there is no difference between _ and - in module names (automatic underscore conversion is performed).

Waldo Lemmer 13:02, 18 May 2024 (UTC)