This document describes how to setup full disk encryption including /boot. This started from an accident not remembering to create /boot during installation Setting this up was actually surprisingly easy. The only issue left it that after typing in password into Grub2, it sits there for a while before boot starts. I am quite sure this is not the most elegant solution for this. I would like to see any improvements you can make to this to make this complete system encryption more elegant.
1. Installation
During installation do custom partitioning:
[ul]
[li]Create ca. 30 MB partition for /boot/efi. There is clear option for it[/li][LIST]
[li]Partition could possibly be smaller, i.e. like 10β12 MB as less than 5 MB is used during installation [/li][li]I have that as /dev/sda1 [/li][/ul]
[li]From rest of disk create a encypted LVM disk. I have that as /devsda2 [/li][li]Create a LVM group and place LVM disk into that group [/li][li]Create volume for swap. If you want to use hibernation, swap must be at least as big as there is physical memory in machine [/li][li]Create / of desired size. If using btrfs, remove unwanted subvolumes. Remove at least any subvolumes related to /boot and /var/run[/li][ul]
[li]Removing /boot and related subvolumes ensure stuff under /boot gets snapshotted [/li][li]/var/run is nowdays a bind mount to /run [/li][/ul]
[li]Create rest of the filesystems, like possible /home, if you did not fill disk with / [/li][li]Perform rest of installation as usual. [/li][/LIST]
2. First reboot
After installation Grub2 will ask password immediately. Type in the password and hit enter. Grub2 boot menu will appear after a while. During initial Linux boot phase, encryption password will be asked again. Type it in and bootup continues normally.
3. But I Donβt Want To Type Same Passwod Twice
You can avoid that, but there are few security issues described later.
[ul]
[li]Create a keyfile for LVM disk [/li]```
dd if=/dev/urandom of=/keyfile.key bs=512 count=1
[/ul]
[ul]
[li]Protect file from prying eyes [/li]```
chmod 0500 /keyfile.key
[li]Add keyfile to encrypted partition. I have /dev/sda1 as /boot/efi and /dev/sda2 as encrypted LVM partition. [/li]```
cryptsetup luksAddKey /dev/sda2 /keyfile.key
[li]Check: [/li]```
cryptsetup luksDump /dev/sda2
[li]Configure Grub2 to know about LVM key[/li][LIST]
[li]Edit Grub2 config /etc/default/grub [/li][li]Search line starting with [/li]```
GRUB_CMDLINE_LINUX_DEFAULT
[li]Add to end of that line: [/li]```
cryptkey=/keyfile.key
[li]Save changes [/li][li]Apply configuration: [/li]```
grub2-mkconfig -o /boot/grub2/grub.cfg
[/ul]
[li]Configure initrd setup to grab /keyfile.key into initrd[/li][ul]
[li]Create a module to copy keyfile: [/li]```
mkdir /usr/lib/dracut/modules.d/90keyfile
[li]Create setup file /usr/lib/dracut/modules.d/90keyfile/module-setup.sh for module containing:[/li]```
#!/bin/bash
check() {
require_binaries /keyfile.key
}
depends() {
return 0
}
install() {
inst /keyfile.key
}
[/ul]
[/LIST]
[LIST=|INDENT=2]
[li]Fix file mode: [/li]```
chmod 0744 /usr/lib/dracut/modules.d/90keyfile/module-setup.sh
[li] Create config file /etc/dracut.conf.d/90-keyfile.conf to take keyfile into account. File content:[/li]```
01 add_dracutmodules+=keyfile
[/LIST]
[ul]
[li]Configure /etc/crypttab[/li][LIST]
[li]Find out from /dev/disk what is LVM disk's id. In my case link in /dev/disk/by-id points to ../../sda2 [/li][li]Setup entry into /etc/crypttab[/li]
-part2 /dev/disk/by-id/-part2 /keyfile.key luks
Actually, entry should be there already, so you just need to edit it.
[/ul]
[li]Create new initrd file(s): [/li]```
mkinitrd
[ul]
[li] Check that /keyfile.key is in initrd:[/li]```
lsinitrd /boot/initrd
[/ul]
[li]Reboot and enjoy. [/li][/LIST]
From now on Grub will ask the password and kernel will use keyfile to unlock LVM and filesystems. For some reason after typing in password into Grub2, it sits there about 20 seconds before boot actually starts. It would be nice if that delay could be removed. Now /usr/lib/dracut/modules.d/90keyfile/module-setup.sh requires that /keyfile.key has exec rights to grab it into initrd. This should be fixed.
[b]4. Security considerations[/b]
[b][i]4.1.File access[/i][/b]
There is now few files you want to secure properly:
[ul]
[li]/keyfile.key is obivious [/li][li]Other files are /boot/initrd* files, which also contain the keyfile [/li][/ul]
To secure files, do at least:
chmod 0500 /keyfile.bin; chmod go-rwx /boot/initrd*
.
It is worth thinking about [i]NOT[/i] to backup /boot/initrd* and /keyfile.key files unless you can be sure that your backups are secure.
[b][i]4.2. Keyfile length[/i][/b]
There is no need to create too large keyfiles. File content is random. 512 random bytes forms a 4096 bit key. If you compare that to your password of 25 characters, which one is weaker, file or password? Password Characters are limited to ASCII characters, thus you have ca. 6.5 bits per character β 25 characters is ca. 162 bits. Other way round 4096 bits of password means 632 characters long password using ASCII.
[i][b]4.3. Destroying data[/b]
[/i]
You may use the keyfile to remove the password from LVM disk (how to do that is left as an exercise). If you do that and reboot without setting new password you will lose your data irrevokably, if you have no backup of the key anywhere, of course.