You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2019-03-22 22:33:46
- dev
- Member
- Registered: 2016-12-14
- Posts: 4
HOWTO: Devuan with full disk encryption
The page:
http://techpubs.spinlocksolutions.com/d … ption.html
Explains how to set up Devuan with full disk encryption (including /boot) during system installation when using the netinst ISO image. (The netinst ISO uses debian-installer. The Live ISO uses Refracta, which can set up boot on an encrypted root partition without any manual work needed.)
The procedure explained here is done by entering shell and executing commands after everything has been installed but before user clicks "Finish installation".
The idea is that for the official/standard part of the installation, an unencrypted partition is created and /boot is placed on it.
Then after the installer is done installing files, user enters shell and moves boot files onto the main (encrypted) partition, and re-purposes the unencrypted /boot partition into an encrypted swap partition.
This way all goals are met (fully standard installation, with full disk encryption, and with swap, done in the same session as the installation).
Last edited by dev (2019-03-26 21:53:23)
Offline
#2 2019-03-23 12:17:33
- kuleszdl
- Member
- Registered: 2018-11-03
- Posts: 107
Re: HOWTO: Devuan with full disk encryption
Welcome and thanks for sharing this. But how do you boot the Kernel with /boot encrypted? Do you decrypt it in the bootloader (GRUB?) and then a second time during startup, entering the password twice? Not mentioning, that decrypting in GRUB is very slow.
Personally, I prefer to leave /boot unencrypted but to use signed kernels/initrd and check their signatures in GRUB before booting them.
Offline
#3 2019-03-23 17:30:31
- dev
- Member
- Registered: 2016-12-14
- Posts: 4
Re: HOWTO: Devuan with full disk encryption
Hey, yes, there is 'luks' module loaded in grub and grub decrypts it. And yes, the key needs to be entered twice.
I believe this is the standard way how encryption of this type is set up, and one of alternatives is certainly, as you mention, to use signing instead of encryption.
Thanks!
Offline
#4 2019-03-23 21:11:22
- kuleszdl
- Member
- Registered: 2018-11-03
- Posts: 107
Re: HOWTO: Devuan with full disk encryption
Yes, but with your setup - did you have to do any other modification to grub except adding the crypto module as described in your howto? I mean this change:
echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grubOffline
#5 2019-03-23 22:45:13
- dev
- Member
- Registered: 2016-12-14
- Posts: 4
Re: HOWTO: Devuan with full disk encryption
No, just this one change was enough.
Offline
#6 2019-03-25 09:32:48
- fsmithred
- Administrator
- Registered: 2016-11-25
- Posts: 2,486
Re: HOWTO: Devuan with full disk encryption
For the record: If you install from one of the live isos, you would choose to encrypt the root filesystem and not select a separate partition for /boot. That's all. The installer will add the line to /etc/default/grub.
Offline
#7 2019-03-26 21:50:44
- dev
- Member
- Registered: 2016-12-14
- Posts: 4
Re: HOWTO: Devuan with full disk encryption
Thanks, I have added a note that the procedure is applicable/relevant to the netinst installation (which uses d-i).
Offline
#8 2019-04-22 17:18:36
- Vizitor
- Member
- Registered: 2018-06-08
- Posts: 13
Re: HOWTO: Devuan with full disk encryption
.. and there is no repeating message (?):
Stopping remaining crypt disks...sdX_crypt(busy)I have it on Beowulf.
I see it on MX Linux 18. (There it appears for very short moment, but it DOES appear)
Probably this is an issue on ALL debian/devuan distros.
Also,
If Your installation is on UEFI based machine, and I see it is, You can put GRUB into retirement and use EFISTUB.
Offline
#9 2019-04-22 21:16:29
- fsmithred
- Administrator
- Registered: 2016-11-25
- Posts: 2,486
Re: HOWTO: Devuan with full disk encryption
See this thread for a solution to the shutdown delay:
https://dev1galaxy.org/viewtopic.php?id=674
Offline
#10 2019-04-23 08:09:29
- Vizitor
- Member
- Registered: 2018-06-08
- Posts: 13
Re: HOWTO: Devuan with full disk encryption
About patch:
(I tested Beowulf because I thought "this time will be different" )
In Beowulf file name for patching is "cryptdisks-functions"
I am not using LVM.
Everything else I already noticed https://dev1galaxy.org/viewtopic.php?id=674 #12 :
"for i in 1; do" --- this does shorten shutdown/reboot time. (Beowulf included)
But, the question is: Does encrypted filesystem/partition/container in the end get proper unmount?
Because all those unmounting messages are ending with "failed".
am concerned that over time, some files may become corrupted without noticing.
Edit: This is beginning to be thread hijacking, so I'll not continue on here.
Last edited by Vizitor (2019-04-23 08:28:52)
Offline
Pages: 1
