Whole system encryption – including /boot

This document describes how to setup full disk encryption including /boot. This started from an accident not remembering to create /boot during installation :slight_smile: Setting this up was actually surprisingly easy. The only issue left it that after typing in password into Grub2, it sits there for a while before boot starts. I am quite sure this is not the most elegant solution for this. I would like to see any improvements you can make to this to make this complete system encryption more elegant.

1. Installation

During installation do custom partitioning:
[ul]
[li]Create ca. 30 MB partition for /boot/efi. There is clear option for it[/li][LIST]
[li]Partition could possibly be smaller, i.e. like 10–12 MB as less than 5 MB is used during installation [/li][li]I have that as /dev/sda1 [/li][/ul]

[li]From rest of disk create a encypted LVM disk. I have that as /devsda2 [/li][li]Create a LVM group and place LVM disk into that group [/li][li]Create volume for swap. If you want to use hibernation, swap must be at least as big as there is physical memory in machine [/li][li]Create / of desired size. If using btrfs, remove unwanted subvolumes. Remove at least any subvolumes related to /boot and /var/run[/li][ul]
[li]Removing /boot and related subvolumes ensure stuff under /boot gets snapshotted [/li][li]/var/run is nowdays a bind mount to /run [/li][/ul]

[li]Create rest of the filesystems, like possible /home, if you did not fill disk with / [/li][li]Perform rest of installation as usual. [/li][/LIST]

2. First reboot

After installation Grub2 will ask password immediately. Type in the password and hit enter. Grub2 boot menu will appear after a while. During initial Linux boot phase, encryption password will be asked again. Type it in and bootup continues normally.

3. But I Don’t Want To Type Same Passwod Twice

You can avoid that, but there are few security issues described later.

[ul]
[li]Create a keyfile for LVM disk [/li]```
dd if=/dev/urandom of=/keyfile.key bs=512 count=1

 
[/ul]

[ul]
[li]Protect file from prying eyes [/li]```
chmod 0500 /keyfile.key

[li]Add keyfile to encrypted partition. I have /dev/sda1 as /boot/efi and /dev/sda2 as encrypted LVM partition. [/li]```
cryptsetup luksAddKey /dev/sda2 /keyfile.key

 
[li]Check: [/li]```
cryptsetup luksDump /dev/sda2

[li]Configure Grub2 to know about LVM key[/li][LIST]
[li]Edit Grub2 config /etc/default/grub [/li][li]Search line starting with [/li]```
GRUB_CMDLINE_LINUX_DEFAULT

 
[li]Add to end of that line: [/li]```
cryptkey=/keyfile.key

[li]Save changes [/li][li]Apply configuration: [/li]```
grub2-mkconfig -o /boot/grub2/grub.cfg

 
[/ul]
  
[li]Configure initrd setup to grab /keyfile.key into initrd[/li][ul]
[li]Create a module to copy keyfile: [/li]```
mkdir /usr/lib/dracut/modules.d/90keyfile

[li]Create setup file /usr/lib/dracut/modules.d/90keyfile/module-setup.sh for module containing:[/li]```
#!/bin/bash
check() {
require_binaries /keyfile.key
}
depends() {
return 0
}
install() {
inst /keyfile.key
}

 
[/ul]
  
[/LIST]

[LIST=|INDENT=2]
[li]Fix file mode: [/li]```
chmod 0744 /usr/lib/dracut/modules.d/90keyfile/module-setup.sh

[li] Create config file /etc/dracut.conf.d/90-keyfile.conf to take keyfile into account. File content:[/li]```
01 add_dracutmodules+=keyfile

 
[/LIST]

[ul]
[li]Configure /etc/crypttab[/li][LIST]
[li]Find out from /dev/disk what is LVM disk's id. In my case link in /dev/disk/by-id points to ../../sda2 [/li][li]Setup entry into /etc/crypttab[/li]

-part2 /dev/disk/by-id/-part2 /keyfile.key luks


Actually, entry should be there already, so you just need to edit it. 
[/ul]
  
[li]Create new initrd file(s): [/li]```
mkinitrd

[ul]
[li] Check that /keyfile.key is in initrd:[/li]```
lsinitrd /boot/initrd

 
[/ul]
  
[li]Reboot and enjoy. [/li][/LIST]

From now on Grub will ask the password and kernel will use keyfile to unlock LVM and filesystems. For some reason after typing in password into Grub2, it sits there about 20 seconds before boot actually starts. It would be nice if that delay could be removed. Now /usr/lib/dracut/modules.d/90keyfile/module-setup.sh requires that /keyfile.key has exec rights to grab it into initrd. This should be fixed.

[b]4. Security considerations[/b]

[b][i]4.1.File access[/i][/b]

There is now few files you want to secure properly:
[ul]
[li]/keyfile.key is obivious [/li][li]Other files are /boot/initrd* files, which also contain the keyfile [/li][/ul]
To secure files, do at least: 

chmod 0500 /keyfile.bin; chmod go-rwx /boot/initrd*

.

It is worth thinking about [i]NOT[/i] to backup /boot/initrd* and /keyfile.key files unless you can be sure that your backups are secure.

[b][i]4.2. Keyfile length[/i][/b]

There is no need to create too large keyfiles. File content is random. 512 random bytes forms a 4096 bit key. If you compare that to your password of 25 characters, which one is weaker, file or password? Password Characters are limited to ASCII characters, thus you have ca. 6.5 bits per character β‡’ 25 characters is ca. 162 bits. Other way round 4096 bits of password means 632 characters long password using ASCII.

[i][b]4.3. Destroying data[/b]
[/i]
You may use the keyfile to remove the password from LVM disk (how to do that is left as an exercise). If you do that and reboot without setting new password you will lose your data irrevokably, if you have no backup of the key anywhere, of course.

IMHO this is not a request for help, but a How to. This will thus be moved to Unreviewed How To and FAQ and is CLOSED for the moment.

Moved from Install/Boot/Login and open again.

If you make a separate 500 meg boot partition mounted /boot the password is not needed twice. It will only have kernels and some startup files so is not a security problem.

Separate, unencrypted /boot is the standard method of configuring encryption for Linux systems. Described methot shows that you can go one step further to protect your system.

When kernel and initrd are also protected by encryption, you can more sure nobody can tweak your kernel or boot process while system (namely, laptop or tablet) is unattended and powered off. If /boot is not protected. anybody with physical access can replace its contents.

Yes true but that needs two password entries. One to load the kernel and one to mount the partitions.

Apparmor or SELinux and/or secure boot can help protect the kernel though

You want both high security and convenience. That generally does not work

I now type in the password only to Grub2, so that it can load kernel and initrd. For initrd to remount filesystems, there is keyfile in initrd. No need to type password twice.

Well, it is bit harder to tweak powered off / hibernated laptop system, when also kernel is protected on hard disk. If laptop is powered on, when it is getting on wrong hands, game has practically been lost by then.

If I have understood secure boot correctly, it can only protect boot loader.

I think I should take especially a closer look of initrd files to keep them properly protected across kernel updates.

I’m just following these instructions after having re-installed Tumbleweed and managed to end up with Grub asking for my password twice.

The only thing that I’ve noticed so far is that the change to /etc/dracut.conf.d/90-keyfile.conf doesn’t quite seem to work. If you remove the β€œ01[space]” from the start then mkinitrd seems to execute correctly.