1 |
On Wed, Dec 30, 2015 at 07:34:52AM +1000, Hans wrote: |
2 |
> Hi, |
3 |
> |
4 |
> Is it possible to fully encrypt a Gentoo system as can be done with |
5 |
> Fedora, Suse, Arch Linux, Debian and Ubunto without using a unencrypted |
6 |
> USB boot stick or unencrypted /boot partition? |
7 |
> |
8 |
> If yes, where can I find instructions that really work on a BIOS only |
9 |
> box without UEFI, EFI, systemd using EXT4 file system? |
10 |
> |
11 |
> Hans |
12 |
|
13 |
I can confirm that it's entirely possible, as I've managed to do it with |
14 |
my laptop. |
15 |
I don't remember exactly how I did everything, but here are the main |
16 |
points of my setup. |
17 |
|
18 |
Each of the three disks in my laptop is set up with GPT partitions |
19 |
(although it should work fine with plain old DOS-style partitions). |
20 |
|
21 |
If you use GPT with BIOS, make sure you leave room for (and create) the |
22 |
GRUB boot partition (which GRUB stores the stage 2 part of the |
23 |
bootloader in, since the first stage is limited to only a few hundred |
24 |
bytes by BIOS standards). |
25 |
Use 4MiB, just to be safe (a couple MiB is cheap, anyway). |
26 |
You can read about how to get it set up just right here: |
27 |
<https://wiki.gentoo.org/wiki/GRUB2#Partitioning_for_BIOS_with_GPT> |
28 |
|
29 |
Each disk has a LUKS partition. |
30 |
GRUB2 supports both AES and Serpent (I have partitions of both) |
31 |
encryption with LUKS, though I recommend AES. |
32 |
|
33 |
If you look around on the Gentoo wiki, or around online, you can |
34 |
probably find how to set up the encrypted partitions. |
35 |
What I did was: |
36 |
|
37 |
cryptsetup luksFormat -v -c aes-xts-plain64 -h sha512 -y -s 512 \ |
38 |
--use-random -i 4000 /dev/sda2 |
39 |
|
40 |
This sets the encryption and key derivation algorithms and key size to |
41 |
pretty secure settings. |
42 |
The 4000 is the number of milliseconds used to compute the encryption |
43 |
key from your passphrase. |
44 |
Feel free to increase/decrease as you like. |
45 |
You can always change it later (you can add and remove encryption |
46 |
passphrases from the partition with varying derivation times). |
47 |
|
48 |
Your partitions will be decrypted at boot, but while setting this all |
49 |
up, decrypt the partition manually with: |
50 |
|
51 |
cryptsetup luksOpen /dev/sda2 luks-system |
52 |
|
53 |
This will ask for your passphrase, and open the partition as |
54 |
/dev/mapper/luks-system. |
55 |
If you have multiple disks like I do, just open them all and give them |
56 |
different names. |
57 |
|
58 |
On top of LUKS, I've got LVM, because it's all shiny and I like to |
59 |
resize my partitions every few days without rebooting. |
60 |
If you're not familiar with it, I recommend reading around in the wiki a |
61 |
little. |
62 |
|
63 |
Set up your opened encrypted partitions for LVM (as physical volumes |
64 |
(PVs)) by running: |
65 |
|
66 |
pvcreate /dev/mapper/luks-system |
67 |
|
68 |
If you have multiple disks, run that for each partition. |
69 |
|
70 |
Now, create a volume group to hold all of your partitions by running: |
71 |
|
72 |
vgcreate sys_vg /dev/mapper/luks-system [...] |
73 |
|
74 |
If you have any other disks, add them to the end of that command. |
75 |
"sys_vg" will be the name of your volume group. |
76 |
You can use pretty much anything, but I recommend suffixing it with |
77 |
"_vg" so you're not risking collisions with other stuff in "/dev". |
78 |
I like to use "HOSTNAME_vg" for mine. |
79 |
|
80 |
(You may need to run `vgchange -a y` to get your system to load the new |
81 |
volume group now; I don't quite remember.) |
82 |
|
83 |
Now, create your partitions (logical volumes (LVs)) with: |
84 |
|
85 |
lvcreate -L 8GiB -n rootfs sys_vg |
86 |
|
87 |
Replace "8GiB" with whatever partition size you want, and "rootfs" with |
88 |
whatever you want to name that partition. |
89 |
I recommend avoiding '-' in the partition name (and volume group name), |
90 |
as it sometimes escapes them (?) by turning them into "--", but only in |
91 |
some places. |
92 |
|
93 |
The LVs will be in /dev/YOUR_VOLUME_GROUP_NAME. |
94 |
So, for example, the above will create "/dev/sys_vg/rootfs" as your |
95 |
logical volume. |
96 |
|
97 |
At the very least, you'll want a boot partition, a swap partition, and a |
98 |
root partition. |
99 |
|
100 |
Try to leave them smaller, rather than using up all of the free space. |
101 |
With LVM, you can grow filesystems (at least, EXT4 and such) online |
102 |
(that is, without unmounting and/or rebooting). |
103 |
|
104 |
(That's because LVM maps blocks between the partition that software |
105 |
sees, and the (encrypted) PVs. |
106 |
So, logical volumes don't necessarily need to be contiguous, or even on |
107 |
the same disk. |
108 |
LVM takes care of that transparently.) |
109 |
|
110 |
Leave room in case you want to change your partitioning later, or give a |
111 |
virtual machine its own LV or something. |
112 |
|
113 |
Format your filesystems just like in the Gentoo Handbook: |
114 |
|
115 |
mkfs.ext4 -L rootfs /dev/sys_vg/rootfs |
116 |
mkfs.ext4 -L boot /dev/sys_vg/boot |
117 |
mkswap -L swap /dev/sys_vg/swap |
118 |
|
119 |
Then, mount them just like in the Gentoo Handbook and add them to your |
120 |
fstab. |
121 |
(Obviously, use /dev/sys_vg/* instead of /dev/sd?* when mounting.) |
122 |
|
123 |
All of that is a pretty standard LVM/LUKS setup (except for /boot on |
124 |
LVM/LUKS). |
125 |
|
126 |
Now, when you compile your kernel, make sure to enable all of the device |
127 |
mapper, LVM, and encryption features you need. |
128 |
If you're not sure what you need, poke around on the Gentoo wiki pages |
129 |
for LVM and/or LUKS. |
130 |
You can compile them as either modules or built-in (I use modules), |
131 |
since you'll need an initramfs anyway. |
132 |
|
133 |
For your initramfs, I recommend using dracut. |
134 |
|
135 |
I can't quite remember exactly what everything I did in my dracut |
136 |
configuration was for, but here are some of the important looking bits |
137 |
(in /etc/dracut.conf): |
138 |
|
139 |
|
140 |
add_dracutmodules+="bash crypt lvm udev-rules usrmount" |
141 |
hostonly="no" |
142 |
lvmconf="yes" |
143 |
persistent_policy="by-uuid" |
144 |
use_fstab="yes" |
145 |
|
146 |
(If you get stuff about dracut being unable to find /dev/disk/by-uuid/* |
147 |
when it tries to mount your /usr when booting after all of this, you may |
148 |
want to change the persistent_policy (see the dracut.conf man page). |
149 |
For some reason it keeps doing this to me, and I don't quite know why. |
150 |
If it does happen to you, just run `e2fsck /dev/sys_vg/usr` to check the |
151 |
filesystem and `mount -o ro /dev/sys_vg/usr /sysroot/usr` to mount it.) |
152 |
|
153 |
You can build your initramfs by running: |
154 |
|
155 |
dracut -v --xz -f --kver KERNEL_VERSION |
156 |
|
157 |
Substitute KERNEL_VERSION for the release version of your kernel (if |
158 |
it's named in a standard way). |
159 |
You can take out the "--xz" flag if you want, it just compresses the |
160 |
initramfs. |
161 |
If you leave it in, however, make sure you compile XZ compressed |
162 |
initramfs support into your kernel (it should be with the other |
163 |
initramfs options). |
164 |
|
165 |
I don't know how everyone else does it, but here's the one-liner (well, |
166 |
it was one line before I broke it up to fit it here) I use to build and |
167 |
install my kernel/initramfs: |
168 |
|
169 |
(mount /boot; |
170 |
make all && |
171 |
make modules_install && |
172 |
cp -v .config "/boot/config-$(make kernelrelease)" && |
173 |
cp -v "$(make image_name)" "/boot/vmlinuz-$(make kernelrelease)" && |
174 |
dracut -v --xz -f --kver "$(make kernelrelease)" && |
175 |
grub2-mkconfig -o /boot/grub/grub.cfg) |
176 |
|
177 |
(Wrapping it all in parentheses runs it in a sub-shell, so you can use |
178 |
C-Z to suspend and resume the entire set of commands, rather than just |
179 |
the currently running one (which wouldn't run the rest)). |
180 |
|
181 |
When you build and install sys-boot/grub:2, make sure you have the |
182 |
device-mapper USE flag enabled. |
183 |
(I also have the mount USE flag enabled for it, and I'm too lazy to look |
184 |
up right now whether that will be necessary or not, but it doesn't hurt |
185 |
to enable it anyway.) |
186 |
|
187 |
Now comes the important part: configuring GRUB. |
188 |
(This part actually took me the longest to figure out, primarily because |
189 |
whatever guide I was originally following a year or two ago said the |
190 |
important option was GRUB_CRYPTODISK_ENABLE instead of |
191 |
GRUB_ENABLE_CRYPTODISK. |
192 |
Either that, or I misread it.) |
193 |
|
194 |
This will probably give you a good explanation: |
195 |
<http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/>. |
196 |
Just ignore the Arch Linux bits. |
197 |
|
198 |
In addition to whatever else you add to your GRUB configuration, here's |
199 |
the lines to enable GRUB to understand your disks, and load things from |
200 |
your boot partition (which is on top of LVM on top of LUKS). |
201 |
(You'll want this in /etc/default/grub): |
202 |
|
203 |
GRUB_ENABLE_CRYPTODISK=y |
204 |
GRUB_PRELOAD_MODULES="cryptodisk crypto gcry_rijndael gcry_sha512 gcry_serpent luks lvm" |
205 |
|
206 |
The first line tells GRUB to use your boot partition, even though it's |
207 |
encrypted. |
208 |
The second will preload the necessary cryptographic modules (and LVM) |
209 |
into the stage 2 bootloader. |
210 |
If you used different algorithms than AES, SHA-512, and Serpent, make |
211 |
sure to add their gcry_* modules here. |
212 |
The modules are in /usr/lib/grub/i386-pc/ and/or /boot/grub/i386-pc/ if |
213 |
you need to find their exact names. |
214 |
|
215 |
Now, you'll need to add some stuff to the kernel command line so that |
216 |
dracut can find and set up your partitions properly. |
217 |
(Add this to /etc/default/grub as well): |
218 |
|
219 |
GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-LUKS-PART-UUID rd.lvm.vg=sys_vg root=/dev/sys_vg/rootfs rootfstype=ext4 rd.shell rd.info" |
220 |
|
221 |
The first part (rd.luks.uuid) tells dracut which LUKS partitions to |
222 |
open. |
223 |
Replace "LUKS-PART-UUID" with whatever UUID you get from running: |
224 |
|
225 |
blkid /dev/sda3 |
226 |
|
227 |
So, you'll have, for example, |
228 |
"rd.luks.uuid=luks-c972bd1a-64c4-439c-ac34-fb996328ca7d". |
229 |
|
230 |
If you have multiple disks, just use repeat that for each disk |
231 |
(rd.luks.uuid is cumulative). |
232 |
So, you'd have "rd.luks.uuid=luks-UUID1 rd.luks.uuid=luks-UUID2 ...". |
233 |
|
234 |
The rd.lvm.vg part of the command line tells dracut the name of the |
235 |
volume group to open. |
236 |
It will be able to find it after opening all of the encrypted |
237 |
partitions. |
238 |
(I'm not sure if having it after the rd.luks.uuid parts was significant |
239 |
or not, so you may want to leave it after.) |
240 |
|
241 |
The "root" part of the command line just tells dracut what your root |
242 |
partition will be after it's done loading all of this. |
243 |
The "rootfstype" specifies the file system type, and I'm pretty sure |
244 |
it's not necessary. |
245 |
|
246 |
The "rd.shell rd.info" part you may want to keep. |
247 |
The first part will drop you into a shell if something goes wrong, and |
248 |
the latter will print enough text to give you a hint as to what went |
249 |
wrong. |
250 |
|
251 |
Now, with all of the configuration done, it's time to install GRUB to |
252 |
your boot partition. |
253 |
|
254 |
First, generate your GRUB configuration with: |
255 |
|
256 |
grub2-mkconfig -o /boot/grub/grub.cfg |
257 |
|
258 |
Make sure it finds your kernel and initramfs. |
259 |
(It should say when it finds each). |
260 |
|
261 |
Now, for the final step, install GRUB to your disk with: |
262 |
|
263 |
grub2-install /dev/sda |
264 |
|
265 |
It should say that it installed everything successfully. |
266 |
If it doesn't, or if you want to make sure, add the "-v" flag and scroll |
267 |
back up through it to make sure it found all of the LUKS and LVM stuff. |
268 |
|
269 |
You should be good to go now. |
270 |
|
271 |
When you reboot, GRUB will immediately prompt you for the passphrase for |
272 |
each of your LUKS partitions (or your one LUKS partition). |
273 |
After you enter it, you should end up in GRUB 2, just as normal. |
274 |
|
275 |
When GRUB loads the kernel (and dracut), dracut will prompt you for your |
276 |
passphrase again for each LUKS partition (because it doesn't have the |
277 |
keys that GRUB derived and used). |
278 |
This is more of a minor inconvenience unless you reboot a lot (and the |
279 |
page I linked to had some ideas on how to get around this). |
280 |
|
281 |
Afterward, the initramfs should load up the rest of your system as |
282 |
usual. |
283 |
I don't use systemd, so I can't help you on that part, but if you read |
284 |
around the Gentoo wiki (and other sources) about systemd and dracut, you |
285 |
should be able to figure that part out. |
286 |
|
287 |
(Also, if the initramfs has issues finding something, it should, again, |
288 |
drop you into a shell. |
289 |
You can then just mount the filesystem manually.) |
290 |
|
291 |
I hope this helps. |
292 |
It ended up a little longer than I planned, but it should be helpful at |
293 |
least to me in a couple more years when I can't remember how I did this |
294 |
in the first place. |
295 |
|
296 |
Alex |