Note
The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
User talk:Pnoecker/full disk encryption
Jump to navigation
Jump to search
https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption yup why would we do that? https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice
FAFO keyfile decryption
root # mkdir /etc/keys root # dd if=/dev/urandom of=/etc/keys/enc.key bs=1 count=4096 root # cryptsetup luksAddKey /dev/sdX3 /etc/keys/enc.key
then setup grub to load the key file, or initramfs or something? does anybody do this?
ramdisk
https://code.funtoo.org/bitbucket/users/drobbins/repos/funtoo-ramdisk/browse ramdisk.activate=lvm
- Beta testing process of booting Funtoo off a LUKS encrypted volume with the new experimetnal luks ramdisk plugin:
- git clone https://code.funtoo.org/bitbucket/scm/~siris/funtoo-ramdisk.git somewhere on your Funtoo system or LiveCD or VM install (I do it as the root user in the root user's home directory for easy pathing)
- cd into the cloned repo's directory and run git checkout FL-11023/luks-ramdisk-plugin-v1 to switch to the active PR's branch containing the working ramdisk plugin code
- Make sure you have built sys-kernel/debian-sources with the default USE flags (luks and lvm should be disabled) -- This key here is this kernel already generates a ramdisk using funtoo-ramdisk by default
- Once the kernel is emerged or if you already have it emerged change to the root user: sudo su - or login to root
- mount /boot
- Regen the ramdisk with these exact flags and use the path to the git cloned branched ramdisk bin: /root/funtoo-ramdisk/bin/ramdisk --force --plugins=core,luks,lvm initramfs-debian-sources-x86_64-6.5.10_p1
- Determine the UUID of the LUKS encrypted partition with blkid | grep crypto
- Edit the /etc/boot.conf and add these new kernel boot params to your primary kernel entry: crypt_root=UUID={UUID from the step 7} and ramdisk.activate=luks,lvm (Note: {UUID from the step 7} is a placeholder variable, replace the entire string including curly braces with a correct UUID)
- Regenerated a new GRUB config with ego boot
- Reboot