Full disk encryption

Hi,

I am new to encryption (never used it so far).

I have been reading about the benefits of full disk encryption and it seems this is what I am looking for:

https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Plain_dm-crypt

My goal is for a single hard drive:

  • separate / and /home using ext4
  • 1 GiB of swap
  • full encryption of everything

However I am not sure how to do it properly on openSUSE. I seem to end up with 3 partitions:

  • 8 MiB BIOS boot (which seems unencrypted after installation, although I told it to be encrypted during the installation procedure)

  • encrypted /swap partition

  • LVM based encrypted PV which includes / and /home as I want them

I also have to enter the password twice on startup and on each boot there is some check going on for one UUID which ends up with some red dependency failure.

How should I do all this correctly please?

The easy way to do this with openSUSE:

At the partitioning step, you are offered a suggested (proposed) partitioning.

There’s a button you can click for “Guided Setup”. Click on that.

In the next screen (or second screen), check the box to use an LVM. Once you select that, there should also be a box to encrypt the LVM.

There, or on a later screen, there is a place where you can say that you want a separate “/home”. I suggest that. The wording might say “home partition” but it should give you a home logical volume in the LVM.

You should finish up with a partitioning proposal:
An EFI partition if this is a UEFI system);
An encrypted LVM with volumes for root, home, swap.

This works pretty well, and should do what you want.

I already tried that before writing here. The result was:

  • 8 MiB “BIOS Boot” partition (this system is old, no UEFI)
  • PV (with LVM etc as you explained)

However the help menu explains that this is LUKS encryption (for the LVM) and I suppose what I need is that dm-crypt, no?

Other questions:

  • How to add encryption to that “BIOS Boot” partition too? (is that protecting GRUB with password?)

  • is “BIOS Boot” the same as /boot and if not - what is the difference?

  • why doesn’t “BIOS Boot” have a mount point?

I also see that it is possible to remove all partitions, tell that the whole hard disk is for the operating system and choose “Encrypt device”. This indeed shows that it will symply reserve the whole hard disk for “/” and encrypt it. What is the difference between this setup and the one which you suggest? Any pros and cons?

LUKS adds management layer on top of dm-crypt. It makes it much easier to handle. OTOH it makes LUKS self-identifying. Anyone can see that you have encrypted partition (even though content is not directly visible).

If you want to use raw dm-crypt you are essentially on your own. It is up to you to translate description you found in Internet into what openSUSE understands.

How to add encryption to that “BIOS Boot” partition too?

You can’t.

(is that protecting GRUB with password?)

No. It contains bootloader code that is executed when you switch on computer. There is no provision to encrypt it.

is “BIOS Boot” the same as /boot

No.

and if not - what is the difference?

BIOS boot contains initial bootloader code launched by BIOS, /boot contains other data used by bootloader or kernel.

why doesn’t “BIOS Boot” have a mount point?

Because it does not have filesystem.

Thank you, arvidjaar.

What about the last question? Can you clarify it too please?

The EFI boot (BIOS boot???) Is formatted FAT but you can’t encrypt because the UEFI/BIOS does not know encryption and the code there is used by the BIOS. the files that are there are just the first links in the boot chain NO DATA is stored there unless you put some there. In all cases unless the BIOS/UEFI provides it’s own encryption scheme or you have a disk control that can deal the initial part of the boot chain can not be encrypted.

As arvidjaar explained, LUKS is built on top of dm-crypt. Yes, you could use dm-crypt without it, but you will run into problems. And it may be less secure, because LUKS header provides salt.

Other questions:

  • How to add encryption to that “BIOS Boot” partition too? (is that protecting GRUB with password?)
  • is “BIOS Boot” the same as /boot and if not - what is the difference?
  • why doesn’t “BIOS Boot” have a mount point?

If you really want to encrypt everything, then I think you can purchase disk drives that are encrypted at the hardware level. The BIOS would prompt for the encryption key at POST time (pre-boot).

Unless you do it that way, the boot code need to be unencrypted. Otherwise you cannot boot.

I also see that it is possible to remove all partitions, tell that the whole hard disk is for the operating system and choose “Encrypt device”. This indeed shows that it will symply reserve the whole hard disk for “/” and encrypt it. What is the difference between this setup and the one which you suggest? Any pros and cons?

You won’t be able to boot it.

Well I guess you could use a separate “/boot” and put that on a USB. Then you could boot from the USB, and unplug that USB after booting. But you would have to plug it in for kernel updates or any update that touches booting (update to grub2, for example).

Thank you guys!

OK, so I followed nickert’s advice.

Now when booting I am asked for the encryption password (once) and after the system loads I am asked again (a second time) for
<diskname…>-part2.

Why is this happening?
Is it normal?
How to make it ask me only once (on boot before GRUB)?

Grub is asking for the password so that it can read its menu and other configuration.
The kernel is asking for the password so that it can access the disks.

At present, there is no secure way for grub to communicate the password to the kernel.

Is it normal?

Yes, this is normal.

You can avoid that by having a separate unencrypted “/boot” partition. But, if using “btrfs”, it is better for “/boot” to be part of the root file system and not a separate partition.

How to make it ask me only once (on boot before GRUB)?

Yes, it is possible to do this. I don’t recommend it.

I do have that set up in a virtual machine (for testing it). But I am not using it on real computers. I prefer to enter the password twice where needed.

If you want to set this up, here’s an outline of how to do it. (I can fill in more details later, if needed)

(1) Put a password into a file in the root file system. It is best to do this with a separate password, and add that as an alternative decryption password (using “cryptsetup luksAddKey”). You can use a random 256 byte key for this. And since the key is in a file, you can add the path to that file to “/etc/crypttab”. Make sure that the file is readable only by root.

(2) Because the password file is in the encrypted file system, the kernel cannot actually read it until it already has the encryption key. So you have to force this password file to be copied into the “initrd”. You would usually set that up with a file in “/etc/dracut.conf.d”. And then run “mkinitrd”.

The disadvantage: you now have an encryption key in a file in the root file system. And you also have it in the “initrd”. The more copies, the more likely that it will leak. However, the file in the root file system is readable only by root, and the “initrd” is readable only by root. So some folk think this is a reasonable approach.

If you later install Xen support on a UEFI machine, the “initrd” will be copied to the EFI partition. And that make it readable by anyone with sufficient access to your machine. So the encryption key has been made more readily accessible, which is risky.

Thanks nickert!

As far as I understand this convenience reduces the security of the encryption right? I guess I better not do it then.

I also found

https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice

which explains something similar to what you just explained. Is it the same thing?

One more question:

How do I configure autoyast for the suggested “Guided setup”? (including formatting of the disk)

When I clone the system (in yast - autoyast) and edit the partition plan to tell that the target system should initialize the drive and the partitions, when reaching that “bios_boot” partition I get:


Warning
You selected to create the partition, but you did not select a valid file
system. Select a valid filesystem to continue.
[OK]

What file system should I choose for it? Also must I fix the size to exactly 8 MiB?

And the other peculiar thing:

Trying to edit the <system> “drive” shows me in “Advanced” section that:

“Encryption is not available for physical volumes”

So how do I set all this please? Or must I prepare each computer’s disk manually before running autoyast installation?

You don’t normally format a disk you format a partition. So you should be able to encrypt a partition but not the drive itself (physical volume)

For the EFI boot partition FAT is the proper format

Yes, that’s the same idea. You could just follow those steps.

In my case I want autoyast to recreate the same disk setup (including formatting of everything).

For the EFI boot partition FAT is the proper format

I am installing on old machines (no UEFI).

No EFI so there should not be a efi boot partition and you use MBR booting. If the original image is EFI then that will be the default in autoYast and you would have to manually change it.