Talk:Full Disk Encryption From Scratch Simplified

From Gentoo Wiki
Jump to:navigation Jump to:search
This is a Talk page - please see the documentation about using talk pages. Add newer comments below older ones, sign comments using four tildes (~~~~), and indent successive comments with colons (:). Add new sections at the bottom of the page, under a heading (== ==). Please remember to mark sections as "open for discussion" using {{talk|open}}, so they will show up in the list of open discussions.

Swap partition

Talk status
This discussion is done.

The article does not consider the creation of the swap partition. --Mimosinnet 06:59, 3 March 2018 (UTC)

I never used encryption for swap, so I can't add information how to do it. Maybe, someone from community can add such info. P.S. For laptop - suspend to RAM are pretty enough, for desktop - same. If I haven't enough RAM to do something (compilation of libreoffice) -> then temporary swap file on encrypted partition are enought. -- Feniksa 18:00, 4 March 2018 (UTC)

I have found that this article covers the encrypted swap and hibernation


-- citizenkepler 17:24, 3 October 2018 (UTC)

cryptsetup command

Talk status
This discussion is done.

The article suggests the command:

root@localhost #cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s /dev/sdX3

The key size in bits should follow the -s flag. Therefore, the previous command does not work. What about:

root@localhost #cryptsetup -s 512 luksFormat /dev/sdX3

--Mimosinnet 08:45, 15 March 2018 (UTC)

Completed in a previous edit. --Grknight (talk) 02:15, 8 November 2018 (UTC)

grub needs device-mapper support

Talk status
This discussion is done.

As far as I know grub needs to be compiled with the device-mapper USE flag in order to support lvm. This should be mentioned somewhere.

root@localhost #echo "sys-boot/grub:2 device-mapper" >> /etc/portage/package.use/sys-boot

--weidenba 8:15, 2nd September 2018 (UTC)

Added, thanks. --Grknight (talk) 02:17, 8 November 2018 (UTC)

Some mistakes in article

Talk status
This discussion is still ongoing as of 7 August 2021.

You've done a couple of mistakes in here.. You're instructing to make a /dev/ssX1 partition of 2M using parted, but it never gets used.. The first thing is making a filesystem for it, your guide does not include it, also, it says that I should use the command "mount /boot" while it is after following this guide already mounted, it does not direct into mounting /boot/efi/ partition /dev/sdX1 for the EFI parts of a GRUB installation. There's no alternative for if the system does not support EFI (such as in if I had an older computer lying around) while the software works for encrypting an LVM volume by using dmcrypt) and grub-install, and that you might want to run a grub-install directly into the MBR (after the necessary modifications to the grub.cfg file) to make grub boot a legacy system, which is: grub-install /dev/sdX Optional: As this is supposed to be an encrypted disk, not really exactly necessary, but optional, to wipe the disk using a: dd if=/dev/urandom of=/dev/sdX or at least: dd if=/dev/urandom of=/dev/sdX3 (the encrypted LVM partition) after the partition has been unlocked or before formatting it and making any Volume Groups on it.. Other than that, this guide is good for installing a minimal Gentoo system, just see the first part, it makes no sense to use parted for a separate EFI partition which never gets formatted using the appropriate file system and the referral says to mount /boot while it's already mounted, do I not want to install grub efi files into something as such as /boot/efi (after /dev/sdX1 is mounted, you skipped this step), instead? Yes I do. And if I can't.. If I'm on a legacy system, I can still run: grub-install /dev/sdX to install grub into the MBR, or the system won't boot.. H4cr (talk) 00:14, 7 August 2021 (UTC)H4cr

A bit of formatting, e.g. list/ paragraphs would make it more readable. It is not my page but I often consult it and use it at least once every 3 months. Have a look at the Gentoo installation instructions or any basic partitioning guide regarding the 2M at the beginning. They're used for the bootloader and don't need a file system nor will this get every mounted.

Also mounting something more than once errors out with a message that it is already mounted (unless it is a tmpfs). And if you carefully look at /etc/fstab the options say noauto – don't mount after boot. This is essential if you want to play safe. Gentoo now complains in a lot of places if /boot is to be mounted prior to actions like installing linux firmware or kernel images. So basically after booting there'll be no partition holding /boot mounted – in a sane system. (MBR and /boot are two different things. BIOS starts GRUB2 from MBR which in turn hands over control to the appropriate kernel in /boot. That could be on any disk available to GRUB2, even a multitude of mixed IDE/ USB/ SATA drives – with os-prober to the rescue and 10 different non-Gentoo-Linux-flavors.)

And with or without EFI doesn't matter that much. I run both with different LVM-setups but all with GRUB2. You're absolutely free to add a section with non-UEFI-installation (that looks absolutely the same except the GRUB-install regarding efi-vars). I assume you're not using hardware that doesn't support GPT partition tables. (I remember it only vaguely that I ran a 15 year old mainboard with a MBR-formatted boot disk and put all the fancy stuff on another disk that was started through GRUB 2, Would be sufficient to boot into any recent LVM partition.)

And finally wiping the disk with dd is not the best solution for all types of drives. I personally own some NVMe boards that support cryptography on their own as well as safe erasing. Also SSDs don't want to be written like this. Some users also run RAID arrays for sensitive data that are quite large and will sync data across the array, e.g. a 5TByte RAID6. It doesn't make much sense to wipe such disks prior or after RAID formation since data is scattered all over the drives. So these are not mistakes but maybe the short guide lacks some context and completeness – intentionally thus have a look at the Gentoo Installation Guide. --Onkobu (talk) 20:13, 12 August 2021 (UTC)