| 1 |
On Wed, Dec 30, 2015 at 07:34:52AM +1000, Hans wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> Is it possible to fully encrypt a Gentoo system as can be done with |
| 5 |
> Fedora, Suse, Arch Linux, Debian and Ubunto without using a unencrypted |
| 6 |
> USB boot stick or unencrypted /boot partition? |
| 7 |
> |
| 8 |
> If yes, where can I find instructions that really work on a BIOS only |
| 9 |
> box without UEFI, EFI, systemd using EXT4 file system? |
| 10 |
> |
| 11 |
> Hans |
| 12 |
|
| 13 |
I can confirm that it's entirely possible, as I've managed to do it with |
| 14 |
my laptop. |
| 15 |
I don't remember exactly how I did everything, but here are the main |
| 16 |
points of my setup. |
| 17 |
|
| 18 |
Each of the three disks in my laptop is set up with GPT partitions |
| 19 |
(although it should work fine with plain old DOS-style partitions). |
| 20 |
|
| 21 |
If you use GPT with BIOS, make sure you leave room for (and create) the |
| 22 |
GRUB boot partition (which GRUB stores the stage 2 part of the |
| 23 |
bootloader in, since the first stage is limited to only a few hundred |
| 24 |
bytes by BIOS standards). |
| 25 |
Use 4MiB, just to be safe (a couple MiB is cheap, anyway). |
| 26 |
You can read about how to get it set up just right here: |
| 27 |
<https://wiki.gentoo.org/wiki/GRUB2#Partitioning_for_BIOS_with_GPT> |
| 28 |
|
| 29 |
Each disk has a LUKS partition. |
| 30 |
GRUB2 supports both AES and Serpent (I have partitions of both) |
| 31 |
encryption with LUKS, though I recommend AES. |
| 32 |
|
| 33 |
If you look around on the Gentoo wiki, or around online, you can |
| 34 |
probably find how to set up the encrypted partitions. |
| 35 |
What I did was: |
| 36 |
|
| 37 |
cryptsetup luksFormat -v -c aes-xts-plain64 -h sha512 -y -s 512 \ |
| 38 |
--use-random -i 4000 /dev/sda2 |
| 39 |
|
| 40 |
This sets the encryption and key derivation algorithms and key size to |
| 41 |
pretty secure settings. |
| 42 |
The 4000 is the number of milliseconds used to compute the encryption |
| 43 |
key from your passphrase. |
| 44 |
Feel free to increase/decrease as you like. |
| 45 |
You can always change it later (you can add and remove encryption |
| 46 |
passphrases from the partition with varying derivation times). |
| 47 |
|
| 48 |
Your partitions will be decrypted at boot, but while setting this all |
| 49 |
up, decrypt the partition manually with: |
| 50 |
|
| 51 |
cryptsetup luksOpen /dev/sda2 luks-system |
| 52 |
|
| 53 |
This will ask for your passphrase, and open the partition as |
| 54 |
/dev/mapper/luks-system. |
| 55 |
If you have multiple disks like I do, just open them all and give them |
| 56 |
different names. |
| 57 |
|
| 58 |
On top of LUKS, I've got LVM, because it's all shiny and I like to |
| 59 |
resize my partitions every few days without rebooting. |
| 60 |
If you're not familiar with it, I recommend reading around in the wiki a |
| 61 |
little. |
| 62 |
|
| 63 |
Set up your opened encrypted partitions for LVM (as physical volumes |
| 64 |
(PVs)) by running: |
| 65 |
|
| 66 |
pvcreate /dev/mapper/luks-system |
| 67 |
|
| 68 |
If you have multiple disks, run that for each partition. |
| 69 |
|
| 70 |
Now, create a volume group to hold all of your partitions by running: |
| 71 |
|
| 72 |
vgcreate sys_vg /dev/mapper/luks-system [...] |
| 73 |
|
| 74 |
If you have any other disks, add them to the end of that command. |
| 75 |
"sys_vg" will be the name of your volume group. |
| 76 |
You can use pretty much anything, but I recommend suffixing it with |
| 77 |
"_vg" so you're not risking collisions with other stuff in "/dev". |
| 78 |
I like to use "HOSTNAME_vg" for mine. |
| 79 |
|
| 80 |
(You may need to run `vgchange -a y` to get your system to load the new |
| 81 |
volume group now; I don't quite remember.) |
| 82 |
|
| 83 |
Now, create your partitions (logical volumes (LVs)) with: |
| 84 |
|
| 85 |
lvcreate -L 8GiB -n rootfs sys_vg |
| 86 |
|
| 87 |
Replace "8GiB" with whatever partition size you want, and "rootfs" with |
| 88 |
whatever you want to name that partition. |
| 89 |
I recommend avoiding '-' in the partition name (and volume group name), |
| 90 |
as it sometimes escapes them (?) by turning them into "--", but only in |
| 91 |
some places. |
| 92 |
|
| 93 |
The LVs will be in /dev/YOUR_VOLUME_GROUP_NAME. |
| 94 |
So, for example, the above will create "/dev/sys_vg/rootfs" as your |
| 95 |
logical volume. |
| 96 |
|
| 97 |
At the very least, you'll want a boot partition, a swap partition, and a |
| 98 |
root partition. |
| 99 |
|
| 100 |
Try to leave them smaller, rather than using up all of the free space. |
| 101 |
With LVM, you can grow filesystems (at least, EXT4 and such) online |
| 102 |
(that is, without unmounting and/or rebooting). |
| 103 |
|
| 104 |
(That's because LVM maps blocks between the partition that software |
| 105 |
sees, and the (encrypted) PVs. |
| 106 |
So, logical volumes don't necessarily need to be contiguous, or even on |
| 107 |
the same disk. |
| 108 |
LVM takes care of that transparently.) |
| 109 |
|
| 110 |
Leave room in case you want to change your partitioning later, or give a |
| 111 |
virtual machine its own LV or something. |
| 112 |
|
| 113 |
Format your filesystems just like in the Gentoo Handbook: |
| 114 |
|
| 115 |
mkfs.ext4 -L rootfs /dev/sys_vg/rootfs |
| 116 |
mkfs.ext4 -L boot /dev/sys_vg/boot |
| 117 |
mkswap -L swap /dev/sys_vg/swap |
| 118 |
|
| 119 |
Then, mount them just like in the Gentoo Handbook and add them to your |
| 120 |
fstab. |
| 121 |
(Obviously, use /dev/sys_vg/* instead of /dev/sd?* when mounting.) |
| 122 |
|
| 123 |
All of that is a pretty standard LVM/LUKS setup (except for /boot on |
| 124 |
LVM/LUKS). |
| 125 |
|
| 126 |
Now, when you compile your kernel, make sure to enable all of the device |
| 127 |
mapper, LVM, and encryption features you need. |
| 128 |
If you're not sure what you need, poke around on the Gentoo wiki pages |
| 129 |
for LVM and/or LUKS. |
| 130 |
You can compile them as either modules or built-in (I use modules), |
| 131 |
since you'll need an initramfs anyway. |
| 132 |
|
| 133 |
For your initramfs, I recommend using dracut. |
| 134 |
|
| 135 |
I can't quite remember exactly what everything I did in my dracut |
| 136 |
configuration was for, but here are some of the important looking bits |
| 137 |
(in /etc/dracut.conf): |
| 138 |
|
| 139 |
|
| 140 |
add_dracutmodules+="bash crypt lvm udev-rules usrmount" |
| 141 |
hostonly="no" |
| 142 |
lvmconf="yes" |
| 143 |
persistent_policy="by-uuid" |
| 144 |
use_fstab="yes" |
| 145 |
|
| 146 |
(If you get stuff about dracut being unable to find /dev/disk/by-uuid/* |
| 147 |
when it tries to mount your /usr when booting after all of this, you may |
| 148 |
want to change the persistent_policy (see the dracut.conf man page). |
| 149 |
For some reason it keeps doing this to me, and I don't quite know why. |
| 150 |
If it does happen to you, just run `e2fsck /dev/sys_vg/usr` to check the |
| 151 |
filesystem and `mount -o ro /dev/sys_vg/usr /sysroot/usr` to mount it.) |
| 152 |
|
| 153 |
You can build your initramfs by running: |
| 154 |
|
| 155 |
dracut -v --xz -f --kver KERNEL_VERSION |
| 156 |
|
| 157 |
Substitute KERNEL_VERSION for the release version of your kernel (if |
| 158 |
it's named in a standard way). |
| 159 |
You can take out the "--xz" flag if you want, it just compresses the |
| 160 |
initramfs. |
| 161 |
If you leave it in, however, make sure you compile XZ compressed |
| 162 |
initramfs support into your kernel (it should be with the other |
| 163 |
initramfs options). |
| 164 |
|
| 165 |
I don't know how everyone else does it, but here's the one-liner (well, |
| 166 |
it was one line before I broke it up to fit it here) I use to build and |
| 167 |
install my kernel/initramfs: |
| 168 |
|
| 169 |
(mount /boot; |
| 170 |
make all && |
| 171 |
make modules_install && |
| 172 |
cp -v .config "/boot/config-$(make kernelrelease)" && |
| 173 |
cp -v "$(make image_name)" "/boot/vmlinuz-$(make kernelrelease)" && |
| 174 |
dracut -v --xz -f --kver "$(make kernelrelease)" && |
| 175 |
grub2-mkconfig -o /boot/grub/grub.cfg) |
| 176 |
|
| 177 |
(Wrapping it all in parentheses runs it in a sub-shell, so you can use |
| 178 |
C-Z to suspend and resume the entire set of commands, rather than just |
| 179 |
the currently running one (which wouldn't run the rest)). |
| 180 |
|
| 181 |
When you build and install sys-boot/grub:2, make sure you have the |
| 182 |
device-mapper USE flag enabled. |
| 183 |
(I also have the mount USE flag enabled for it, and I'm too lazy to look |
| 184 |
up right now whether that will be necessary or not, but it doesn't hurt |
| 185 |
to enable it anyway.) |
| 186 |
|
| 187 |
Now comes the important part: configuring GRUB. |
| 188 |
(This part actually took me the longest to figure out, primarily because |
| 189 |
whatever guide I was originally following a year or two ago said the |
| 190 |
important option was GRUB_CRYPTODISK_ENABLE instead of |
| 191 |
GRUB_ENABLE_CRYPTODISK. |
| 192 |
Either that, or I misread it.) |
| 193 |
|
| 194 |
This will probably give you a good explanation: |
| 195 |
<http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/>. |
| 196 |
Just ignore the Arch Linux bits. |
| 197 |
|
| 198 |
In addition to whatever else you add to your GRUB configuration, here's |
| 199 |
the lines to enable GRUB to understand your disks, and load things from |
| 200 |
your boot partition (which is on top of LVM on top of LUKS). |
| 201 |
(You'll want this in /etc/default/grub): |
| 202 |
|
| 203 |
GRUB_ENABLE_CRYPTODISK=y |
| 204 |
GRUB_PRELOAD_MODULES="cryptodisk crypto gcry_rijndael gcry_sha512 gcry_serpent luks lvm" |
| 205 |
|
| 206 |
The first line tells GRUB to use your boot partition, even though it's |
| 207 |
encrypted. |
| 208 |
The second will preload the necessary cryptographic modules (and LVM) |
| 209 |
into the stage 2 bootloader. |
| 210 |
If you used different algorithms than AES, SHA-512, and Serpent, make |
| 211 |
sure to add their gcry_* modules here. |
| 212 |
The modules are in /usr/lib/grub/i386-pc/ and/or /boot/grub/i386-pc/ if |
| 213 |
you need to find their exact names. |
| 214 |
|
| 215 |
Now, you'll need to add some stuff to the kernel command line so that |
| 216 |
dracut can find and set up your partitions properly. |
| 217 |
(Add this to /etc/default/grub as well): |
| 218 |
|
| 219 |
GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-LUKS-PART-UUID rd.lvm.vg=sys_vg root=/dev/sys_vg/rootfs rootfstype=ext4 rd.shell rd.info" |
| 220 |
|
| 221 |
The first part (rd.luks.uuid) tells dracut which LUKS partitions to |
| 222 |
open. |
| 223 |
Replace "LUKS-PART-UUID" with whatever UUID you get from running: |
| 224 |
|
| 225 |
blkid /dev/sda3 |
| 226 |
|
| 227 |
So, you'll have, for example, |
| 228 |
"rd.luks.uuid=luks-c972bd1a-64c4-439c-ac34-fb996328ca7d". |
| 229 |
|
| 230 |
If you have multiple disks, just use repeat that for each disk |
| 231 |
(rd.luks.uuid is cumulative). |
| 232 |
So, you'd have "rd.luks.uuid=luks-UUID1 rd.luks.uuid=luks-UUID2 ...". |
| 233 |
|
| 234 |
The rd.lvm.vg part of the command line tells dracut the name of the |
| 235 |
volume group to open. |
| 236 |
It will be able to find it after opening all of the encrypted |
| 237 |
partitions. |
| 238 |
(I'm not sure if having it after the rd.luks.uuid parts was significant |
| 239 |
or not, so you may want to leave it after.) |
| 240 |
|
| 241 |
The "root" part of the command line just tells dracut what your root |
| 242 |
partition will be after it's done loading all of this. |
| 243 |
The "rootfstype" specifies the file system type, and I'm pretty sure |
| 244 |
it's not necessary. |
| 245 |
|
| 246 |
The "rd.shell rd.info" part you may want to keep. |
| 247 |
The first part will drop you into a shell if something goes wrong, and |
| 248 |
the latter will print enough text to give you a hint as to what went |
| 249 |
wrong. |
| 250 |
|
| 251 |
Now, with all of the configuration done, it's time to install GRUB to |
| 252 |
your boot partition. |
| 253 |
|
| 254 |
First, generate your GRUB configuration with: |
| 255 |
|
| 256 |
grub2-mkconfig -o /boot/grub/grub.cfg |
| 257 |
|
| 258 |
Make sure it finds your kernel and initramfs. |
| 259 |
(It should say when it finds each). |
| 260 |
|
| 261 |
Now, for the final step, install GRUB to your disk with: |
| 262 |
|
| 263 |
grub2-install /dev/sda |
| 264 |
|
| 265 |
It should say that it installed everything successfully. |
| 266 |
If it doesn't, or if you want to make sure, add the "-v" flag and scroll |
| 267 |
back up through it to make sure it found all of the LUKS and LVM stuff. |
| 268 |
|
| 269 |
You should be good to go now. |
| 270 |
|
| 271 |
When you reboot, GRUB will immediately prompt you for the passphrase for |
| 272 |
each of your LUKS partitions (or your one LUKS partition). |
| 273 |
After you enter it, you should end up in GRUB 2, just as normal. |
| 274 |
|
| 275 |
When GRUB loads the kernel (and dracut), dracut will prompt you for your |
| 276 |
passphrase again for each LUKS partition (because it doesn't have the |
| 277 |
keys that GRUB derived and used). |
| 278 |
This is more of a minor inconvenience unless you reboot a lot (and the |
| 279 |
page I linked to had some ideas on how to get around this). |
| 280 |
|
| 281 |
Afterward, the initramfs should load up the rest of your system as |
| 282 |
usual. |
| 283 |
I don't use systemd, so I can't help you on that part, but if you read |
| 284 |
around the Gentoo wiki (and other sources) about systemd and dracut, you |
| 285 |
should be able to figure that part out. |
| 286 |
|
| 287 |
(Also, if the initramfs has issues finding something, it should, again, |
| 288 |
drop you into a shell. |
| 289 |
You can then just mount the filesystem manually.) |
| 290 |
|
| 291 |
I hope this helps. |
| 292 |
It ended up a little longer than I planned, but it should be helpful at |
| 293 |
least to me in a couple more years when I can't remember how I did this |
| 294 |
in the first place. |
| 295 |
|
| 296 |
Alex |
Archives