LUKS + LVM without /boot in a separate partition

2 replies [Last post]
GNUtoo
Offline
Joined: 11/10/2009

Hi,

For simplicity and flexibility I want /dev/sda1 as a LUKS volume, with on top LVM, and inside the lvm the rootfs and swap.

Eliminating the separate /boot has several advantages:
- Smaller attack surface, only the MBR is in cleartext, and can later probably be secured more easily. It can also be checked more easily.
- No maintenance: Having a separate /boot requires space to store all the initramfs. Without a /boot, that space is shared with the rootfs. A too small /boot can be an issue if the old initramfs are kept. One that is too big consumes space.

Now an easy way to do it is the following:
# umount /boot
# mount /dev/sda1 /mnt # here sda1 is the /boot partition
# cp -ra /mnt/* /boot/*
# umount /mnt/
# vim /etc/fstab # remove /boot from the fstab
# echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
# mkinitramfs -c -k all
# update-grub
# grub-install /dev/sda # /dev/sda being the boot disk

However the password then needs to be typed twice:
- once in grub
- once in the initramfs

So the idea is to create a key:
# mkdir -p /etc/keys
# dd if=/dev/random of=/etc/keys/luks.key bs=512 count=16 iflag=fullblock
# ls -lah /etc/keys/luks.key # We verify the size
-rw-r--r-- 1 root root 8.0K 1 janv. 01:05 /etc/keys/luks.key
And to add it to the LUKS volume:
# cryptsetup luksAddKey /dev/sda2 /etc/keys/luks.key # /dev/sda2 is the encrypted volume

Now:
- The initramfs is in / which is encrypted
- GRUB already asks for the passphrase and loads the initramfs from the encrypted rootfs.
- The initramfs asks for the same password again (sic).

In parabola solving that is pretty easy:
- We add FILES="/etc/keys/luks.key" in /etc/mkinitcpio.conf
- We add "cryptkey=rootfs:/etc/keys/luks.key" to the kernel parameters. This can be done by adding cryptkey=rootfs:/etc/keys/luks.key to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub.

It would be nice to easily be able to do it in Trisquel too, however I didn't find yet a way that is:
- Easy enough for people used to the command line and the edition of configuration files
- Has no maintenance and doesn't break during updates and so on
- Is very robust.

So far here's are my findings:
Adding a key inside /etc/crypttab for the volume which contains the rootfs makes update-initramfs -c -k all output a warning ("cryptsetup: WARNING: target /dev/sda2_crypt uses a key file, skipped") and the key isn't added to the initramfs. This warning comes from /usr/share/initramfs-tools/hooks. By reading that script I found that you can add a keyscript to the initramfs, and various howto on the Internet seem to corroborate that finding.
However I'm not familiar at all with the debian style initramfs generation, and I was wondering if there was rather an easy way to:
- Include the key inside the initramfs in a very clean manner
- Tell the initramfs to use that key, still in a very clean manner

Without needing to write a potentially fragile script, which:
- May break if the script isn't written well enough
- May break if busybox compilation options changes
- May break due to other changes in the initramfs
- Might be harder to use than just modifying one or more configuration files to include the encryption key.

Denis.

Legimet
Offline
Joined: 12/10/2013

I have this setup on my computers, it is not very hard to do.

When installing, do a LVM-on-LUKS setup, without a separate /boot outside the encrypted volume. This is easy to do in the installer.

Continue the installation. Once you get to GRUB, it will fail. Switch to a terminal and:
$ echo "GRUB_ENABLE_CRYPTODISK=y" >> /target/etc/default/grub

(When installing Debian using Debian-Installer, the target filesystem is mounted at /target. I'm not sure about Trisquel.)

Then try installing GRUB again, and it should succeed and you can complete the installation and reboot.

Now, for typing the passphrase only once, you need to create a key and put it in the initramfs.

$ sudo sh -c 'umask 026 && dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin"

Now edit /etc/crypttab. It probably looks something like this:
sdaX_crypt UUID=uuid none luks
Change none to /crypto_keyfile.bin and add ",keyscript=/bin/cat" after luks:
sdaX_crypt UUID=uuid /crypto_keyfile.bin luks,keyscript=/bin/cat

Then you have to include it in the initramfs. To do this, you need to create a hook. But before that, ensure that the generated initramfs is not readable by non-root users, since it will contain the key.

To do this, set UMASK=026 in /etc/initramfs-tools/initramfs.conf.

Then add the hook in /etc/initramfs-tools/hooks/crypto_keyfile:
#!/bin/sh
cp /crypto_keyfile.bin "${DESTDIR}"

Make it executable and generate the initramfs:
$ sudo chmod +x /etc/initramfs-tools/hooks/crypto_keyfile
$ sudo update-initramfs -u

Reboot, and you should not have to enter the passphrase more than once.

(Much of this is taken from http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/)

GNUtoo
Offline
Joined: 11/10/2009

Thanks a lot, I'll try that out.

The next step is then to understand how to change the keyboard layout inside the GRUB part that is in the MBR...

Right now the keyboard layout changes after the password is entered.

Denis.