User:Yuri69/Drafts/Rootfs and home chained encryption

Resources

This guides describes encrypting the root and home filesystems. This setup can enhance privacy, and prevent unauthorized access.

This guide is heavily opinionated - it relies on GPT, EFI, systemd, dracut, and GRUB.

Installation

Emerge

Note
cryptsetup is included in the Gentoo LiveCD.

root #emerge --ask sys-fs/cryptsetup

System preparation

Important
The kernel must be configured according to: Dm-crypt: Kernel Configuration.

This guide is designed to be followed as part of a fresh Gentoo install, the install procedure can be followed until the following step: AMD64 Handbook: Designing a partition scheme

Disk preparation

Important
Partitioning typically does not involve modification of any of the data in partitions. If a drive is re-partitioned then encrypted, old data may remain in an unencrypted form until it is overwritten.

Note
Modern storage devices may not be securely erased with something like dd if=/dev/urandom of=/dev/sdX. See Secure wipe for more information.

This example will use GPT as disk partition schema. fdisk will be used as the partitioning tool though any partitioning utility will work.

See also
For more information about GPT and EFI, see Disks (AMD64 Handbook).

Create disk partitions

A common setup for a basic system with a single drive may contain a partition for the boot files, a partition for the system root, and a user home partition.

CODE Partition layout with boot partition

/dev/nvme0n1
 ├── /dev/nvme0n1p1       /efi       512 MB         fat32       bootloader
 ├── /dev/nvme0n1p2       /boot      512 MB         ext4        bootloader support files, kernel, initramfs
 ├── /dev/nvme0n1p3                  90 GB          luks        encrypted root partition
      └──  root           /          90 GB          xfs         root partition
 └── /dev/nvme0n1p4                  ->END          luks        encrypted home partition
      └──  home           /home      ->END          xfs         home partition

Create partitions

Configure GPT label

To create a partition layout using fdisk, start by creating a fresh partition table on the root disk:

root #fdisk /dev/nvme0n1

 
Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
 
Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x81391dbc.

Command (m for help):g

Created a new GPT disklabel (GUID: 8D91A3C1-8661-2940-9076-65B815B36906).

Create the EFI System Partition

With a GPT partition table created, the EFI System Partition (ESP) can be added using n:

Command (m for help):n

Partition number (1-128, default 1): 
First sector (2048-134217694, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-134217694, default
134215679): +512B
 
Created a new partition 1 of type 'Linux filesystem' and of size 512 MiB.

The ESP property can be set using t:

Command (m for help):t

Selected partition 1
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

Create the Extended Boot partition

The boot partition can be created with:

Command (m for help):n

Partition number (2-128, default 2): 
First sector (2099200-134217694, default 2099200): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2099200-134217694, default
134215679): +512M

Created a new partition 2 of type 'Linux filesystem' and of size 512 MiB.

The Linux Extended Boot property can be set using t:

Note
Setting this property is optional, but if set, should match the architecture of the system.

Command (m for help):t

Partition number (1-2, default 2):
Partition type or alias (type L to list all): 136
Changed type of partition 'Linux filesystem' to 'Linux Extended Boot'.

Create the Root partition

The root partition can be created with:

Command (m for help):n

Partition number (3-128, default 3):
First sector (4196352-134217694, default 4196352):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (4196352-134217694, default 134215679): +90G

Created a new partition 3 of type 'Linux filesystem' and of size 90 GiB.

The Linux Root (x86-64) property can be set using t:

Note
Setting this property is optional, but if set, should match the architecture of the system.

Command (m for help):t

Partition number (1-3, default 3):
Partition type or alias (type L to list all): 23
Changed type of partition 'Linux filesystem' to 'Linux Root (x86-64)'.

Create the Home partition

The home partition can be created with:

Command (m for help):n

Partition number (4-128, default 4): 
First sector (8196352-134217694, default 8196352): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (8196352-134217694, default 134215679):

Created a new partition 3 of type 'Linux filesystem' and of size 382 GiB.

The Linux home property can be set using t:

Command (m for help):t

Partition number (1-3, default 3):
Partition type or alias (type L to list all): 41
Changed type of partition 'Linux filesystem' to 'Linux home'.

Apply changes

Finally, the changes can be written with w:

Command (m for help):w

The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Create the LUKS encrypted root partition

To prepare the encrypted filesystem, dm-crypt can be used:

Note
To ensure the dm-crypt module is loaded, the following command can be used:

root #modprobe dm-crypt

The status of the module can be checked with:

user $lsmod | grep dm-crypt

To format the root partition using LUKS, secured with a passphrase:

root #cryptsetup luksFormat --key-size 512 --iter-time 3000 --label root_luks /dev/nvme0n1p3


WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters):
YES
Enter passphrase for /dev/nvme0n1p3:

Open the root LUKS volume

The encrypted device must be opened and mapped before it can be used, this can be done with:

root #cryptsetup luksOpen /dev/nvme0n1p3 root

Note
In this example, the volume is opened and mapped to /dev/mapper/root.

Format the Filesystems

Create a filesystem for /dev/nvme0n1p1, the EFI system partition which will contain the bootloader. This partition is read by UEFI. Most motherboards can read only a FAT32 filesystem:

root #mkfs.vfat -F32 /dev/nvme0n1p1

Next, format the extended boot partition. This partition must be readable by the bootloader, so ext4 can be used:

root #mkfs.ext4 -T small -L boot /dev/nvme0n1p2

Finally, create root filesystem on the mapped LUKS volume (in this example XFS is used):

root #mkfs.xfs -L root /dev/mapper/root

Gentoo installation

If this procedure is being followed during a Gentoo install (in place of Designing a partition scheme through Mounting the root partition), the install can be completed using the handbook with a few important considerations:

Important
* The cryptsetup USE-flag must be enabled:

FILE /etc/portage/package.use/systemd

sys-apps/systemd cryptsetup

sys-fs/cryptsetup and sys-fs/xfsprogs must be installed within the chroot, before the initramfs is created.
If a bootloader is being used, it must be configured and installed on unencrypted volumes.

The root file system can be mounted at /mnt/gentoo to continue the install with:

root #mount --label root /mnt/gentoo

At this point, the Gentoo installation can be continued: Installing a stage tarball.

/etc/crypttab initial setup

The root LUKS volume UUID information must be obtained:

user $lsblk -o name,uuid

NAME        UUID
sdb                                           
├─nvme0n1p1 BDF2-0139
├─nvme0n1p2 b0e86bef-30f8-4e3b-ae35-3fa2c6ae705b
├─nvme0n1p3 4bb45bd6-9ed9-44b3-b547-b411079f043b
  └─root    cb070f9e-da0e-4bc5-825c-b01bb2707704
└─nvme0n1p4 abb45bd6-1e09-11b3-c56e-b4ae176f00ec

Allow systemd-cryptsetup to set the root LUKS volume up:

FILE /etc/crypttabSpecify the encrypted root volume UUID

root UUID=4bb45bd6-9ed9-44b3-b547-b411079f043b none luks,discard

Tip
Use the discard option to allow the discard commands being passed through.

Initramfs configuration

An initramfs must be used to decrypt and mount the root partition. This can be accomplished using Dracut, using parameters passed in the kernel command line.

Important
This configuration should be done while chrooted, or on a live system.

The following modules must be added to the add_dracutmodules directive in /etc/dracut.conf.d/luks.conf:

FILE /etc/dracut.conf.d/luks.confMinimum required component to decrypt LUKS volumes using dracut

add_dracutmodules+=" crypt "

Important
The spacing for Dracut configuration directives is very important. Ensure there are no spaces between add_dracutmodules and +=", parameters in add_dracutmodules must be padded with spaces.

FILE /etc/dracut.conf.d/luks.confEmbed cmdline parameters for the rootfs decryption

add_dracutmodules+=" crypt "
kernel_cmdline="rd.luks.uuid=4bb45bd6-9ed9-44b3-b547-b411079f043b"

The /boot must be mounted first:

root #mount --label boot /boot

Once read, a new initramfs can be generated and written. In the typical scenario initramfs is being generated for a kernel other than the currently active one, so --kver specifying the target kernel must be used:

root #dracut --kver 6.6.6-gentoo --hostonly

This can happen in a situation when the kernel version in the Gentoo Live CD differs from the emerged sys-kernel/gentoo-sources in the kernel compilation process.

Tip
Possible kernel versions can be found by using:

user $ls /lib/modules

GRUB installation

Simply follow the Handbook Bootloader section

Initial /etc/fstab creation

The /etc/fstab file specifying the mount schema the must be crated.

Use the volume UUIDs and LABELs to create the /etc/fstab.

user $lsblk -o name,uuid

NAME        UUID
sdb                                           
├─nvme0n1p1 BDF2-0139
├─nvme0n1p2 b0e86bef-30f8-4e3b-ae35-3fa2c6ae705b
├─nvme0n1p3 4bb45bd6-9ed9-44b3-b547-b411079f043b
  └─root    cb070f9e-da0e-4bc5-825c-b01bb2707704
└─nvme0n1p4 abb45bd6-1e09-11b3-c56e-b4ae176f00ec

FILE /etc/fstab

UUID=BDF2-0139    /efi   vfat  defaults 1 2
LABEL=boot        /boot  ext4  defaults 0 2
LABEL=root        /      xfs   relatime 0 1

Note
The decrypted root volume label is used.

Reboot the system

The setup of the root filesystem is done. Now exit the chroot and reboot the system. The boot process should present a dialog asking for the root passphrase.

Create the LUKS encrypted home partition

The home LUKS partition is protected by a key file located on the previously encrypted root volume.

Generate home partition key file

Generate the key file protecting the home LUKS volume

root #dd if=/dev/random of=/etc/cryptsetup-keys.d/home.key bs=512 count=8

Note
The .key files from /etc/cryptsetup-keys.d/ directory are loaded automatically.^[1]

Create the home partition using the key file

Use the previously genrerated key file to encrypt the home partition:

root #

cryptsetup luksFormat --key-size 512 --iter-time 3000 --label home_luks --key-file /etc/cryptsetup-keys.d/home.key /dev/nvme0n1p4

WARNING!
========
This will overwrite data on /dev/nvme0n1p4 irrevocably.

Are you sure? (Type 'yes' in capital letters):
YES

Open the home LUKS volume

The encrypted device must be opened and mapped before it can be used, this can be done with:

root #cryptsetup luksOpen --key-file /etc/cryptsetup-keys.d/home.key /dev/nvme0n1p4 home

Format the home partition

Create the home filesystem on the mapped LUKS volume:

root #mkfs.xfs -L home /dev/mapper/home

Auto-decrypt the home partition

The home LUKS volume UUID information must be obtained:

user $lsblk -o name,uuid

NAME        UUID
sdb                                           
├─nvme0n1p1 BDF2-0139
├─nvme0n1p2 b0e86bef-30f8-4e3b-ae35-3fa2c6ae705b
├─nvme0n1p3 4bb45bd6-9ed9-44b3-b547-b411079f043b
  └─root    cb070f9e-da0e-4bc5-825c-b01bb2707704
└─nvme0n1p4 abb45bd6-1e09-11b3-c56e-b4ae176f00ec
  └─home    fe0c0f3e-130f-ebc5-1354-401bb270e7ea

Allow systemd-cryptsetup to decrypt the the home LUKS volume automatically using the home.key key file:

FILE /etc/crypttabSpecify both encrypted volumes by UUID

root UUID=4bb45bd6-9ed9-44b3-b547-b411079f043b none luks,discard
home UUID=abb45bd6-1e09-11b3-c56e-b4ae176f00ec -    luks,discard

Note
Note, the mapped volume name home matches the key file name. Therefore there is no need to specify a path to the key file.

Add the home volume to /etc/fstab

Add the decrypted home volume LABEL to /etc/fstab:

user $lsblk -o name,uuid

NAME        UUID
sdb                                           
├─nvme0n1p1 BDF2-0139
├─nvme0n1p2 b0e86bef-30f8-4e3b-ae35-3fa2c6ae705b
├─nvme0n1p3 4bb45bd6-9ed9-44b3-b547-b411079f043b
  └─root    cb070f9e-da0e-4bc5-825c-b01bb2707704
└─nvme0n1p4 abb45bd6-1e09-11b3-c56e-b4ae176f00ec
  └─home    fe0c0f3e-130f-ebc5-1354-401bb270e7ea

FILE /etc/fstab

UUID=BDF2-0139    /efi   vfat  defaults 1 2
LABEL=boot        /boot  ext4  defaults 0 2
LABEL=root        /      xfs   relatime 0 1
LABEL=home        /home  xfs   relatime 0 2

Note
The decrypted home volume label is used.

Regeneate initramfs

Regenerate the initramfs image using dracut:

root #dracut --kver 6.6.6-gentoo --hostonly --force

Reboot the system

The boot process should present a dialog asking for the root passphrase followed by decrypting the home volume automatically.

LUKS Header Backup

Important
Do not forget this step, keys/passwords are used to decrypt the LUKS header, if it is destroyed for some reason, the remaining data will only be recoverable with the header file.

The headers can be backed up with:

root #

cryptsetup luksHeaderBackup /dev/nvme0n1p3 --header-backup-file root_headers.img

root #cryptsetup luksHeaderBackup /dev/nvme0n1p4 --header-backup-file home_headers.img

References

↑ crypttab(5) — Linux manual page

[1] rypttab(5) — Linux manual page

[1]