Full disk encryption
Hello !
This topic is about full disk encryption. I need this for /home, swap and root (/).
Maybe if someone knows, after, put /boot on a USB key. I'm new in Linux environment but I can learn ;)
I'm gonna explain what I've make here cause this doesn't work..
Thanks everybody !
>> sudo su
>> apt-get update
>> apt-get crypsetup
Play a with Gparted :
- sda1 5,2 GB ext4 (/boot and bootloader)
- sda2 8,4 GB swap (swap)
- sda3 682 GB ext4 (/)
>> cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size 512 luksFormat /dev/sda3
>> cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size 512 luksFormat /dev/sda2
>> cryptsetup luksOpen /dev/sda3 crypto_root
>> cryptsetup luksOpen /dev/sda2 crypto_swap
>> mkfs.ext4 /dev/mapper/crypto_root
>> mkswap /dev/mapper/crypto_swap
Launch Trisquel's installation from livecd 6.0.1
Manual particioning :
/ : /dev/mapper/crypto_root
swap : /dev/mapper/crypto_swap
/boot : /dev/sda1
bootloader : /dev/sda1
After finish,
>> mkdir /mnt/root
>> mount /dev/mapper/crypto_root /mnt/root
>> mount /dev/ /mnt/root/dev -o bind
>> chroot /mnt/root mount /proc
>> chroot /mnt/root mount /sys
>> chroot /mnt/root
echo "root /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/sda3) none luks" >> /etc/crypttab
echo xts >> /etc/initramfs-tools/modules
echo aes_x86_64 >> /etc/initramfs-tools/modules
echo essiv:256 >> /etc/initramfs-tools/modules
>> apt-get update
>> apt-get install cryptsetup
>> mount /boot
>> update-initramfs -u
Here the first error :
w : mdadm : /etc/mdadm/mdadm.conf defines no arrays
When I reboot, i have this error :
BusyBox v.18.5 (Ubuntu 1:1.18.5-1 ubuntu4.1) built-in shell (ash)
Enter "help" for a list of built-in commands
(Initramfs)
I think all of this is bad but if someone has a good tutorial or have time to help me..
Thanks :)
I am a member!
Hello,
1. Swap can be a file inside the root partition, from my script;
dd if=/dev/zero of=/1G.swap bs=10M count=102 && mkswap /1G.swap
echo "/1G.swap none swap sw 0 0">>/etc/fstab
echo vm.swappiness=0>>/etc/sysctl.conf
2. You don't need to add essiv:256 to modules, probably because the is no module named essiv see modinfo essiv.
3. XFS is faster to verify, check, and overall maintain than the ext family but, each to his own.
4. /etc/crypttab should be:
root UUID=$(blkid | grep /dev/sda3 | cut -c18-53) none luks
or just run "from chroot"
echo "root UUID=$(blkid | grep /dev/sda3 | cut -c18-53) none luks">>/etc/crypttab
--
I use: trisquel.info | ceata.org | fsf.org | riseup.net | duckduckgo.com | eff.org | h-node.com | torproject.org | airvpn.org | flattr.com | skepdic.com |
I am a member!
5. You really don't need your USB ports ?
You can try to set the bootloader to /dev/sda (the drive, not partition, I'm not sure if it's default) then "/ : /dev/mapper/crypto_root" and "/boot : /dev/USBstick1".
Good luck !
P.S.
I just noticed that aes module is aes-x86_64 and not aes_x86_64.
Hi ! Thank you so much for reponse !
I've tried something else by use LVM :
Gparted :
- sda1 1GB, ext4, for /boot
- sda2 680GB, ext for /
In sda2 : 10BG swap and rest for /
In shell :
sudo su
modprobe dm-crypt
cryptsetup -y -c aes-xts-plain -s 512 -h sha512 luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 crypto_root
vgcreate lvm-trisquel /dev/mapper/crypto_root
lvcreate --name swap --size 10G lvm-trisquel
lvcreate --name root --extents 100%FREE lvm-trisquel
mkswap -f --label swap /dev/lvm-trisquel/swap
mkfs.ext4 -L root /dev/lvm-trisquel/root
Lauch Trisquel's installation and use manual partitioning like this :
/ on /dev/lvm-trisquel/root
swap on /dev/lvm-trisquel/swap
/boot on /sda1
and bootloader on /sda
I'm here now, waiting installation to end ;)
Is there ok ?
Do u think just put /boot on a USB is ok ?
I will need to change something else no ?
Hello everybody !
I want to performed something like this :
Boot partition on /dev/sda1
LUKS encrypted partition on /dev/sda2
and in LUKS partition >>> LV1 : /dev/Cool/swap LV2 : /dev/Cool/root LV3 : /dev/Cool/home
So I use Gparted to make partitions like this.
- After, in a shell :
- sudo su
- cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda2
(do I need install others modules ? I'm on livecd Trisquel 6.0.1)
- cryptsetup luksOpen /dev/sda2/ trisquel
- pvcreate /dev/mapper/trisquel
- vgcreate Cool /dev/mapper/trisquel
- lvcreate -L 8G Cool -n swap
- lvcreate -L 20G Cool -n root
- lvcreate -l –extents100%FREE Cool -n home
- mkfs.xfs /dev/mapper/Cool-root
- mkfs.xfs /dev/mapper/Cool-home
- mkswap /dev/mapper/Cool-swap
- mount /dev/Cool/root /mnt
- mkdir /mnt/home
- mount /dev/Cool/home /mnt/home
- swapon /dev/Cool/swap
- mkfs.ext2 /dev/sda1
- mkdir /mnt/boot
- mount /dev/sda1 /mnt/boot
After this, launch Trisquel installation from the 6.0.1 livecd and choose manual partitioning.
Ok, and after, what I need to do ?
I suppose change bootloader and initramfs but I don't know precisely how (I tried some configuration but it doesn't work).
Perhaps someone knows how to configure /boot if I put it on USB key, on /dev/sdb1 for exemple.
Thanks in advance for help again :)
Okay, what do you think about (after all above) :
echo "root UUID=$(blkid | grep /dev/sda2 | cut -c18-53) none luks" >> /etc/crypttab
OR
echo "root UUID=$(blkid | grep /dev/sda2) none luks, retry=l,lvm=trisquel" >> /etc/crypttab
AND
echo "root=/dev/mapper/Cool-root cryptopts=source=/dev/sda2,target=Cool-root,lvm=trisquel" >> /etc/initramfs-tools/initramfs.conf
AFTER
update-initramfs -u
update-grub2
exit
Ok ? That's all ? Or not ? I need advice from one who already encrypt his laptop please.
Thanks !
No one use disk encryption ?
Please, I tried to explain the best I could my problem. I'm new in GNU/Linux so that's impossible for me to make all alone and install Trisquel like 10 times last 3 days just destroyed my head... I need this to be fix soon.
Don't be shy, share your knowlegde ! :)
Thanks in advance.