The officially official Devuan Forum!

underd0g

Member

Registered: 2018-04-02

Posts: 1  

full disk encryption

I have succesfully made a fully encrypted devuan instalation , with LVM . Basically , /boot is moved from it's own partition into a folder in / . No biggie .

This was done following steps in this article ;
https://dustymabe.com/2015/07/06/encryp … the-party/
The only step that differs from that tutorial is ;

cp -a /boot/.vmlinuz-* /mnt/boot/  

(I guess that fedora has a dot infront of vmlinuz , or it was a typo)

anyways , fsmitherd told me to finish this up , so here it goes .

I have  installed devuan 1 and 2 with these exact steps .
Firstly , install with standard encrypted LVM .
Then we need to copy the files from /boot partition to the /boot directory in the root filesystem ;
(I am guessing it's needles to say, but I'll point out that everything is done as root)

mount --bind / /mnt/
cp -a /boot/* /mnt/boot/
cp -a /boot/vmlinuz-* /mnt/boot/
cp -a /boot/.vmlinuz-* /mnt/boot/
diff -ur /boot/ /mnt/boot/

This copied the files over and verified the contents matched. Next , we unmount the partition and remove the mount from /etc/fstab ;

umount /mnt
umount /boot
sed -i -e '/\/boot/d' /etc/fstab

After that , we need to write new grub.cfg that loads the appropriate modules for loading from the encrypted disk ;

cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.backup
cp /boot/grub/grub.cfg /boot/grub/grub.cfg.backup
grub-mkconfig > /boot/grub/grub.cfg

And finally we need to reinstall the GRUB bootloader with GRUB_ENABLE_CRYPTODISK=y set in /etc/default/grub:

echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub
grub-install /dev/sda

and , of course ;

reboot 

If everything went well , you should now have your devuan booting from / , wich is to say that /boot partition is needles at this point . Just to make sure a malicious party can't figura anything from the files left in /boot partition , I'd recomend formating it .
At the moment I am planing to put quemu in that 256 mb space , so that I can run my installation in a vm on windows . but that's another topic .

cheers

Last edited by underd0g (2018-04-08 10:40:46)

kuleszdl

Member

Registered: 2018-11-03

Posts: 107  

Re: full disk encryption

I had a similar setup in the past. However, it should be noted that with this approach the decryption takes much longer, as the pbkdf2 implementation in GRUB is pretty slow. Also, you need to decrypt your disk twice, and apart from typing in the password two times you need to wait for iterTime to finish once more.

Regardless of these issues I don't see much of an security advantage in using this approach if you load GRUB from the same disk where your kernel lives. Instead of compromising the kernel, an attacker can simply compromise your GRUB.

If you load GRUB from elsewhere (e.g. from external flash or you use coreboot) the imho much better approach is to keep /boot unencrypted but to use public key cryptography to sign all binaries that live there (kernel, initrd) and to check their signatures on boot.