Talk:Full Disk Encryption From Scratch

From Gentoo Wiki
Jump to:navigation Jump to:search
Note
Before creating a discussion or leaving a comment, please read about using talk pages. To create a new discussion, click here. Comments on an existing discussion should be signed using ~~~~:
A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC)
: A reply [[User:Sally|Sally]] 06:47, 13 December 2024 (UTC)
:: Your reply ~~~~

Swap partition

Talk status
This discussion is done.

The article does not consider the creation of the swap partition. --Mimosinnet 06:59, 3 March 2018 (UTC)

I never used encryption for swap, so I can't add information how to do it. Maybe, someone from community can add such info. P.S. For laptop - suspend to RAM are pretty enough, for desktop - same. If I haven't enough RAM to do something (compilation of libreoffice) -> then temporary swap file on encrypted partition are enought. -- Feniksa 18:00, 4 March 2018 (UTC)

I have found that this article covers the encrypted swap and hibernation

   User:Sakaki/Sakaki's_EFI_Install_Guide/Preparing_the_LUKS-LVM_Filesystem_and_Boot_USB_Key

-- citizenkepler 17:24, 3 October 2018 (UTC)

cryptsetup command

Talk status
This discussion is done.

The article suggests the command:

root@localhost #cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s /dev/sdX3

The key size in bits should follow the -s flag. Therefore, the previous command does not work. What about:

root@localhost #cryptsetup -s 512 luksFormat /dev/sdX3

--Mimosinnet 08:45, 15 March 2018 (UTC)

Completed in a previous edit. --Grknight (talk) 02:15, 8 November 2018 (UTC)

grub needs device-mapper support

Talk status
This discussion is done.

As far as I know grub needs to be compiled with the device-mapper USE flag in order to support lvm. This should be mentioned somewhere.

root@localhost #echo "sys-boot/grub:2 device-mapper" >> /etc/portage/package.use/sys-boot

--weidenba 8:15, 2nd September 2018 (UTC)

Added, thanks. --Grknight (talk) 02:17, 8 November 2018 (UTC)

Some mistakes in article

Talk status
This discussion is still ongoing as of 7 August 2021.

You've done a couple of mistakes in here.. You're instructing to make a /dev/ssX1 partition of 2M using parted, but it never gets used.. The first thing is making a filesystem for it, your guide does not include it, also, it says that I should use the command "mount /boot" while it is after following this guide already mounted, it does not direct into mounting /boot/efi/ partition /dev/sdX1 for the EFI parts of a GRUB installation. There's no alternative for if the system does not support EFI (such as in if I had an older computer lying around) while the software works for encrypting an LVM volume by using dmcrypt) and grub-install, and that you might want to run a grub-install directly into the MBR (after the necessary modifications to the grub.cfg file) to make grub boot a legacy system, which is: grub-install /dev/sdX Optional: As this is supposed to be an encrypted disk, not really exactly necessary, but optional, to wipe the disk using a: dd if=/dev/urandom of=/dev/sdX or at least: dd if=/dev/urandom of=/dev/sdX3 (the encrypted LVM partition) after the partition has been unlocked or before formatting it and making any Volume Groups on it.. Other than that, this guide is good for installing a minimal Gentoo system, just see the first part, it makes no sense to use parted for a separate EFI partition which never gets formatted using the appropriate file system and the referral says to mount /boot while it's already mounted, do I not want to install grub efi files into something as such as /boot/efi (after /dev/sdX1 is mounted, you skipped this step), instead? Yes I do. And if I can't.. If I'm on a legacy system, I can still run: grub-install /dev/sdX to install grub into the MBR, or the system won't boot.. H4cr (talk) 00:14, 7 August 2021 (UTC)H4cr

Would like to second this comment regarding the /dev/sdX1 "BIOS Boot" partition that is effectively unused. I just completed the process, and this partition is just completely zero (as it was when I created it). It looks like both parted and cfdisk already reserve some space at the beginning and end of the disk for the GPT (perhaps what was intended by that first partition?), and UEFI contains the boot program. May this be necessary for legacy/non-UEFI systems (if so, that should be in the documentation)? -- Kloepfer (talk) 20:40, 20 February 2023 (UTC)

Formatting

Talk status
This discussion is done as of 2024-05-18.

A bit of formatting, e.g. list/ paragraphs would make it more readable. It is not my page but I often consult it and use it at least once every 3 months. Have a look at the Gentoo installation instructions or any basic partitioning guide regarding the 2M at the beginning. They're used for the bootloader and don't need a file system nor will this get every mounted. --Onkobu (talk) 20:13, 12 August 2021 (UTC)

Closing this, since the formatting looks fine to me three years later.
Waldo Lemmer 19:01, 18 May 2024 (UTC)

About mounting

Talk status
This discussion is still ongoing as of 2021-08-12.

Also mounting something more than once errors out with a message that it is already mounted (unless it is a tmpfs). And if you carefully look at /etc/fstab the options say noauto – don't mount after boot. This is essential if you want to play safe. Gentoo now complains in a lot of places if /boot is to be mounted prior to actions like installing linux firmware or kernel images. So basically after booting there'll be no partition holding /boot mounted – in a sane system. (MBR and /boot are two different things. BIOS starts GRUB2 from MBR which in turn hands over control to the appropriate kernel in /boot. That could be on any disk available to GRUB2, even a multitude of mixed IDE/ USB/ SATA drives – with os-prober to the rescue and 10 different non-Gentoo-Linux-flavors.) --Onkobu (talk) 20:13, 12 August 2021 (UTC)

UEFI vs BIOS

Talk status
This discussion is still ongoing as of 2021-08-12.

And with or without EFI doesn't matter that much. I run both with different LVM-setups but all with GRUB2. You're absolutely free to add a section with non-UEFI-installation (that looks absolutely the same except the GRUB-install regarding efi-vars). I assume you're not using hardware that doesn't support GPT partition tables. (I remember it only vaguely that I ran a 15 year old mainboard with a MBR-formatted boot disk and put all the fancy stuff on another disk that was started through GRUB 2, Would be sufficient to boot into any recent LVM partition.) --Onkobu (talk) 20:13, 12 August 2021 (UTC)

Wiping

Talk status
This discussion is done as of 2024-05-18.

And finally wiping the disk with dd is not the best solution for all types of drives. I personally own some NVMe boards that support cryptography on their own as well as safe erasing. Also SSDs don't want to be written like this. Some users also run RAID arrays for sensitive data that are quite large and will sync data across the array, e.g. a 5TByte RAID6. It doesn't make much sense to wipe such disks prior or after RAID formation since data is scattered all over the drives. So these are not mistakes but maybe the short guide lacks some context and completeness – intentionally thus have a look at the Gentoo Installation Guide. --Onkobu (talk) 20:13, 12 August 2021 (UTC)

The article now mentions firmware-based secure wipe twice. Closing.
Waldo Lemmer 19:01, 18 May 2024 (UTC)

Few more details for newbies?

Talk status
This discussion is done as of 2024-05-18.

I recently got to this page because I needed full disc encryption for the first time after 15 years of using Gentoo Linux. It worked, so thanks a lot for this page! However, there were a few situations where it wasn't (immediately) clear to me what to do next. I'm guessing other newbies may find the same, so I want suggest a few clarifications here, rather than adding them to the page directly and getting them wrong.

  • Regarding Section 2: I have a single-user laptop and want /, /var and /home in a single root partition. Should I create the LVM with a single logical volume? Or do I not need the LVM at all? if the latter, should I jump to Section 13: Simple disk encryption (and then jump back to Section 6)? I wasn't not sure, so it would be nice to spend an introductory sentence on this.
I believe the example in section Disk preparation makes this pretty clear now. The sections you reference do not exist anymore, so I can't comment on them. — Waldo Lemmer 18:47, 18 May 2024 (UTC)
  • Section 6 is called Gentoo installation, but would Preparing the Gentoo installation or Mounting the partitions be a better description of the contents?
It's debatable. I think either of the three is fine. Feel free to make this edit. — Waldo Lemmer 18:47, 18 May 2024 (UTC)
  • In Section 8: fstab (and 10: Install Grub2), it was quite a puzzle to me which UUID should go where (fstab, grub) and which are not used at all. Perhaps a remark like the following would help get the needed overview:

Note that:

    • The UUIDs of /dev/sdb2 and /dev/mapper/vg0-* are required for fstab;
    • The UUID of /dev/sdb3 is required when installing grub later.
  • In Section 9: kernel, I had not compiled support for xz decompression into my kernel, and hence couldn't unzip my INITRAMFS. Is that something to point out here? E.g.
KERNEL xz decompression
--- General setup
    [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
    [*]   Support initial ramdisk/ramfs compressed using XZ
I believe the note "Because the subvolumes are created where they would be mounted, they do not need fstab entries.", as well as the example, make the fstab part a little more clear. But if you don't understand which UUID should be passed to the bootloader, you should probably take a look at the simpler Rootfs encryption article instead. — Waldo Lemmer 18:47, 18 May 2024 (UTC)

The note at the bottom of that section reads To build only initramfs:, but perhaps To build only initramfs with genkernel (and not the kernel and modules themselves): would be clearer.

That note doesn't exist anymore. — Waldo Lemmer 18:47, 18 May 2024 (UTC)
  • In Section 10: grub, I think the last Note (LUKS passphrase, hidden prompt) refers to the boot process, not the current step, correct? If so, perhaps adding during boot to the first sentence would help to clarify this.
Again, the article doesn't contain information about GRUB anymore. Please see Rootfs encryption. — Waldo Lemmer 18:47, 18 May 2024 (UTC)
  • Section 11: Finalizing never mentions rebooting the system. Because the sections so far were steps in the general process, but the next sections are not (necessarily), perhaps adding a few steps would make this clearer, e.g.
(chroot) root@localhost:/#umount /boot
(chroot) root@localhost:/#exit # Leave chroot
root@localhost:/mnt/gentoo#cd
root@localhost:/#umount -l /mnt/gentoo/dev{/shm,/pts,}
root@localhost:/#umount -R /mnt/gentoo
root@localhost:/#reboot

This would clarify to the user where we are in the general Gentoo installation, and also that the sections below are not (necessarily) additional steps in the same process.

The last section instructs users to follow "Installing a stage tarball" in the Handbook, which contains those steps. — Waldo Lemmer 18:47, 18 May 2024 (UTC)
  • Section 12: SSD mostly deals with Grub. Should it become Subsection 10.1?
Not anymore. — Waldo Lemmer 18:47, 18 May 2024 (UTC)
  • Sectons 13-16 are not steps in the general process (except perhaps 15: automatic mount?). Should that be made clearer, e.g. using
    • 13 Alternative: Simple disk encryption w/o LVM
      • Could there be an opening sentence to explain when this is useful/desired?
  • Section 13: Simple encryption...: I'm not sure when I would need this instead of the steps above.
  • Section 15: Automatic mount ...: I'm not sure what this does. Booting and decrypting the disc without passphrase? Should that be stated in a first sentence? And if that is what this does, how is a disc that is automatically unencrypted at boot more secure than a disc that is not encrypted at all? (sorry, newbie ;-)) Perhaps then the Section 11: Finalizing should refer to this?
These don't exist anymore. — Waldo Lemmer 18:47, 18 May 2024 (UTC)

--AstroFloyd (talk) 14:13, 16 December 2022 (UTC)

I feel that I have adequately addressed all the points in your comment, so I'm closing it. If you still have any concerns, please start a new discussion in order to keep things tidy.
Waldo Lemmer 18:47, 18 May 2024 (UTC)

Few suggested edits

Talk status
This discussion is done as of 2024-05-18.

I tried setting up an encrypted root partition without lvm on two computers, one with OpenRC and one with Systemd. The OpenRC required adding an entry to the /etc/crypttab and also adding "root_trim=yes rd.luks.uuid=(uuid of the encrypted partition)" to /etc/default/grub in the GRUB_CMDLINE_LINUX.

In the Systemd the computer you need to make sure to compile systemd with the cryptsetup USE flag.

Ran.Rutenberg (talk) 01:49, 3 January 2023 (UTC)

Note that it is not OpenRC that uses crypttab or rd.luks, but it is the dracut initramfs. This could be for either OpenRC or systemd. --Grknight (talk) 19:45, 3 January 2023 (UTC)
You are right. The changes I had to make are a result of using dracut (because I use the distribution kernel) instead of genkernel. Ran.Rutenberg (talk) 20:39, 9 January 2023 (UTC)
Looks like these changes have been integrated in Special:Diff/1245394.
Waldo Lemmer 12:59, 18 May 2024 (UTC)

Potentially wrong module name?

Talk status
This discussion is done as of 2024-05-18.

I'm currently installing Gentoo from the official installation media and the article suggests checking if the dm-crypt module is loaded with lsmod | grep dm-crypt, but the module seems to be called dm_crypt (at least on my version of the installation media). The official Linux documentation also says the module is called dm-crypt and not dm_crypt. Very confusing and I'm not sure whose wrong here.

Mathis Winterer (talk) 15:22, 15 June 2023 (UTC)


I think either works:

user $modinfo dm-crypt
filename:       /lib/modules/6.5.9-gentoo-initramfs/kernel/drivers/md/dm-crypt.ko.xz
license:        GPL
description:    device-mapper target for transparent encryption / decryption
author:         Jana Saout <jana@saout.de>
depends:        
retpoline:      Y
intree:         Y
name:           dm_crypt
vermagic:       6.5.9-gentoo-initramfs SMP preempt mod_unload modversions RANDSTRUCT_6cfb8d0a3476f38045f255581c6ca2d59fc641b3c856fcb0603b75ce1a5b9620
sig_id:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   unknown
signature:  

Zen desu (talk) 17:00, 5 November 2023 (UTC)

modprobe(8):

note that for convenience, there is no difference between _ and - in module names (automatic underscore conversion is performed).

Waldo Lemmer 13:02, 18 May 2024 (UTC)

Some content should be copied from 'dm-crypt full disk encryption'

Talk status
This discussion is still ongoing as of 2024-06-03.

Some content should be copied from dm-crypt full disk encryption so that page can redirect here. Once done, this discussion can be closed.

Waldo Lemmer 06:18, 3 June 2024 (UTC)

Partition type

Talk status
This discussion is still ongoing.

I see that the article states:

Setting this property is optional, but if set, should match the architecture of the system.

But I'm not sure if this is correct. The partition will not be the root partition, as it will not have a raw filesystem on it, because it is a LUKS volume. So in my opinion, 8309 Linux LUKS (gdisk) should be used instead. The current state may cause problems for tools that rely on naive partition type checking, so such tools may not be able to identify the partition as LUKS. In any case, I don't understand why the article says that this property is optional only for this particular partition. Linux does not care about partition types. Are there any UEFI firmwares that will not boot if the EFI partition is not EF00? Coreboot does not care about partition types either. I don't use bootloaders, but I'm still skeptical that they are strict in this case. --Lars Hint (talk) 14:37, 22 August 2024 (UTC)