Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

User talk:Pnoecker/full disk encryption

From Funtoo
Jump to navigation Jump to search

https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption yup why would we do that? https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice

FAFO keyfile decryption

root # mkdir /etc/keys
root # dd if=/dev/urandom of=/etc/keys/enc.key bs=1 count=4096
root # cryptsetup luksAddKey /dev/sdX3 /etc/keys/enc.key

then setup grub to load the key file, or initramfs or something? does anybody do this?

ramdisk

https://code.funtoo.org/bitbucket/users/drobbins/repos/funtoo-ramdisk/browse ramdisk.activate=lvm

  • Beta testing process of booting Funtoo off a LUKS encrypted volume with the new experimetnal luks ramdisk plugin:
  • git clone https://code.funtoo.org/bitbucket/scm/~siris/funtoo-ramdisk.git somewhere on your Funtoo system or LiveCD or VM install (I do it as the root user in the root user's home directory for easy pathing)
  • cd into the cloned repo's directory and run git checkout FL-11023/luks-ramdisk-plugin-v1 to switch to the active PR's branch containing the working ramdisk plugin code
  • Make sure you have built sys-kernel/debian-sources with the default USE flags (luks and lvm should be disabled) -- This key here is this kernel already generates a ramdisk using funtoo-ramdisk by default
  • Once the kernel is emerged or if you already have it emerged change to the root user: sudo su - or login to root
  • mount /boot
  • Regen the ramdisk with these exact flags and use the path to the git cloned branched ramdisk bin: /root/funtoo-ramdisk/bin/ramdisk --force --plugins=core,luks,lvm initramfs-debian-sources-x86_64-6.5.10_p1
  • Determine the UUID of the LUKS encrypted partition with blkid | grep crypto
  • Edit the /etc/boot.conf and add these new kernel boot params to your primary kernel entry: crypt_root=UUID={UUID from the step 7} and ramdisk.activate=luks,lvm (Note: {UUID from the step 7} is a placeholder variable, replace the entire string including curly braces with a correct UUID)
  • Regenerated a new GRUB config with ego boot
  • Reboot