From: ken <gebser@mousecar.com>
To: Johnny Dahlberg <svartchimpans@gmail.com>
Cc: dm-crypt maillist <dm-crypt@saout.de>
Subject: [dm-crypt] Re: Using dm-crypt: whole disk encryption
Date: Wed, 24 Mar 2021 21:14:11 +0000 [thread overview]
Message-ID: <3032EE0A-E661-442A-B1C7-EE3848658B3D@mousecar.com> (raw)
In-Reply-To: <CA+3G=9iX7HgO2Q09As7exwmfGpdddzj_aN5y5hJ0f30ja-SQkQ@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 5305 bytes --]
On March 22, 2021 4:43:59 PM UTC, Johnny Dahlberg <svartchimpans@gmail.com> wrote:
>On Sun, 21 Mar 2021 at 17:20, ken <gebser@mousecar.com> wrote:
>
>> A new laptop is on the way and I'm considering using dm-crypt 2
>secure the
>> whole SSD. I have some basic questions though.
>>
>> Is it possible to encrypt the entire Drive, including all the system
>files?
>> _______________________________________________
>> dm-crypt mailing list -- dm-crypt@saout.de
>> To unsubscribe send an email to dm-crypt-leave@saout.de
>
>
>Yes, you can do this extremely easily in distributions that support it.
>What does "it" mean? Well, simply: Placing the kernel and bootloader on
>an
>EFI /boot/efi partition and using that as a bootstrap to decrypt the
>main
>partition. And auto-updating it every time the main system kernel is
>updated.
>I highly recommend my favorite Linux distro, which handles all of that
>automatically and asks if you want Full Disk Encryption during install:
>https://pop.system76.com/
>
>However, it only asks you if you want disk encryption if you do a full
>"clean install: wipe the disk and auto-partition" setup.
>
>Perhaps that's enough for you? In that case, just go ahead and install
>it
>and you're done! Very quick and easy.
>
>You can also MANUALLY set up smaller/custom partitions though (such as
>if
>you don't want to use an entire disk for this distro). I'll guide you
>through all of the steps:
>
>- Be sure that you download Pop!_OS 20.10 ISO v12 or later. The
>revision is
>trailing the filename, such as "pop-os_20.10_amd64_nvidia_12.iso"
>meaning
>the 12th ISO. This is necessary because v12 (or later) enhanced the
>installer to support custom encrypted partitions. Furthermore, I
>recommend
>getting the NVIDIA iso if you have (or will ever have) an NVIDIA GPU in
>your system, because that ISO makes it seamless to connect NVIDIA GPUs.
>
>- Ensure that your partitioning table is GPT (not MBR). And that your
>computer is booting with UEFI. This gives you a modern EFI bootloader.
>Otherwise you end up in hellish and brittle legacy grub land where you
>definitely don't wanna be.
>
>- Use GParted on the live boot ISO to create 3 partitions: 512 MiB
>fat32,
>4096 MiB fat32, and the remainder as "filesystem: unformatted" (it's a
>choice in the GParted dropdown).
>
>- Open a Terminal in the live boot ISO and type all of these commands
>(adjust the nvme0n1p3 to whatever your own partition is named):
># Get device name for the "unformatted" partition, in my case
>/dev/nvme0n1p3:
>fdisk -l
>
># Ensure that the encrypted payload is aligned to a 1 MiB (2048 * 512
>byte
>sectors) boundary:
>cryptsetup --key-size 256 --type luks2 --sector-size 4096
>--align-payload
>2048 luksFormat /dev/nvme0n1p3
>
># Open the LUKS volume and permanently mark it as "allow discards
>(TRIM) so
>that it always opens like that by default, for SSD health purposes:
>cryptsetup --allow-discards --persistent open /dev/nvme0n1p3 cryptdata
>
># Create the LVM volume metadata and enforce "start of payload"
>alignment
>at the nearest 1 MiB boundary after the metadata (by default this means
>the
>payload starts at 1 MiB):
>pvcreate -ffy --metadatatype lvm2 --dataalignment 1m
>--dataalignmentoffset
>0 /dev/mapper/cryptdata
>
># Create the LVM volume group and force it to divide the volume into
>aligned 4 MiB chunks (this is the default, but enforcing it just to be
>sure):
>vgcreate -ffy --physicalextentsize 4m data /dev/mapper/cryptdata
>
># Create a LVM logical volume using all of the space:
>lvcreate -y --name root --extents 100%FREE data
>
># Format as ext4 with 4096 byte (4 KiB) block size:
>mkfs.ext4 -F -b 4096 /dev/mapper/data-root
>
># Close the devices.
>vgchange --activate n data
>cryptsetup close cryptdata
>
>- Now close the Terminal and go back to the Pop!_OS installer window,
>and
>proceed until it lets you pick "Custom Install". Pick that option. (Do
>not
>click the "Unlock partition banner at the top of the window.)
>
>- You will be brought to an overview of your partitions. Click the
>small
>512 MiB fat32 and say "Use as: /boot/efi". Click the 4096 MiB fat32 and
>say
>"Use as: Custom. Custom path: /recovery". And lastly, click on the
>large
>partition and it will ask you about your password, so type your
>password to
>unlock it. Then click the large ext4 partition that appears and choose
>"Use
>as: Root (/)".
>
>- Now just proceed with the installation and it will automatically set
>up
>an encrypted full-disk bootloader with your custom partitions.
>
>
>Take care and have fun!
>
>-- Johny
Much thanks to everyone who replied. Your answers were much better than my question. From those answers it's abundantly apparent that I need to study a bit more on a few issues, like the boot processes and other things before I'll be able to make intelligent decisions. I used to understand the boot process fairly well, but that was before quite a bit was changed.
Also, I can't reply to e-mails the way I'm accustomed to and the way I'd like to because I don't have an actual Linux system for that, rather I'm forced to make do with a phone for the time being. Not optimal at all.
Thanks again for all the great replies.
[-- Attachment #1.2: Type: text/html, Size: 5961 bytes --]
[-- Attachment #2: Type: text/plain, Size: 147 bytes --]
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de
next prev parent reply other threads:[~2021-03-24 21:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-21 16:13 [dm-crypt] Using dm-crypt: whole disk encryption ken
2021-03-22 3:57 ` [dm-crypt] " Arno Wagner
2021-03-22 20:35 ` [dm-crypt] What to encrypt and why (was: " ken
2021-03-22 20:50 ` [dm-crypt] " Johnny Dahlberg
2021-03-22 21:25 ` Maksim Fomin
2021-03-22 21:58 ` Johnny Dahlberg
2021-03-23 4:00 ` Maksim Fomin
2021-03-22 16:43 ` [dm-crypt] " Johnny Dahlberg
2021-03-22 23:50 ` Didier Spaier
2021-03-23 22:43 ` Johnny Dahlberg
2021-03-24 21:14 ` ken [this message]
2021-03-22 21:01 ` [dm-crypt] " Maksim Fomin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3032EE0A-E661-442A-B1C7-EE3848658B3D@mousecar.com \
--to=gebser@mousecar.com \
--cc=dm-crypt@saout.de \
--cc=svartchimpans@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).