The officially official Devuan Forum!

You are not logged in.

#1 2022-08-24 21:52:31

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

[SOLVED] LUKS Full Disk Encryption

Hello,

what is the recommended way to setup LUKS FDE on Devuan on a BIOS/MBR machine?

I have created a unencrypted /boot and an encrypted LUKS partition for the system.

I cannot figure out how to boot the encrypted LUKS partition from GRUB. I tried creating the file /etc/crypttab and setting the cryptdevice and root parameters in /etc/default/grub (then updating grub and initramfs).

Thank you in advance!

Offline

#2 2022-08-25 01:49:49

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,153  

Re: [SOLVED] LUKS Full Disk Encryption

FDE usually refers to a setup that has /boot part of the encrypted volume. I recommend using one of the live isos. Refractainstaller knows how to do it. I can never remember all the steps and the right words, which is why I put it into a script.

Tell the installer you want to encrypt the root partition and don't select a separate boot. Added bonus - don't select a swap partition and let the installer put a small swap file on the encrypted root partition.

If you would rather diagnose and fix your current situation, you probably should show us what's in crypttab, fstab, a menuentry from grub.cfg and whatever you put into /etc/default/grub. And maybe fdisk -l, too.

Offline

#3 2022-08-25 09:32:37

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

Thank you for the quick reply!

I will try it out with the installer from the live iso.

Offline

#4 2022-08-25 13:19:26

rolfie
Member
Registered: 2017-11-25
Posts: 708  

Re: [SOLVED] LUKS Full Disk Encryption

Any installer will do, there is nothing special to be done to make grub boot an encrypted root. I am using FDE with unencrypted /boot and an LVM in an encrypted partition for / and /swap for many years now, no issues. Legacy Bios or efi, mbr or gpt do not matter, all combinations work.

Cook book:
* I only use manual partitioning: p1 with 2048 MB for /boot, ext4; for p2 the encrypted partition I use 32G for / plus at least 32G for swap, i.e. 65535MB. Change these values to your demands.
* Select volume for encryption for p2. You have to enter a PW for the encryption.
* Select that volume and change it from ext4 to a physical volume for LVM.
* Define vg and logical volumes. Make one LV to /, ext4, the other one to swap.
* Write all to disk and continue with the installation. At the end the system should boot automagically and ask for the PW for decryption.

Manually setting everything up is a bit fidelly. There is a guide for guided setup at: https://www.devuan.org/os/documentation … encryption which is much easier.

Good luck, rolfie

Last edited by rolfie (2022-08-29 19:04:04)

Online

#5 2022-09-07 09:30:46

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

rolfie wrote:

There is a guide for guided setup at: https://www.devuan.org/os/documentation … encryption which is much easier.

Which partitioning software is it in this documentation?

Offline

#6 2022-09-07 09:34:05

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

I installed the encrypted system with refractainstaller and it worked!

First I tried without a separate /boot partition, but then I had to enter the disk password twice during boot: Once to start GRUB and then to boot Devuan. GRUB takes 17 seconds to decrypt which was very annoying.

Then I tried a different configuration with a separate /boot partition (also with refractainstaller), and it worked perfectly! GRUB starts without a password and I only have to enter the password to boot Devuan.

Offline

#7 2022-09-07 09:42:50

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

This is what the GRUB menu entry looks like:

menuentry 'Devuan GNU/Linux' --class devuan --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-<system-uuid>' {
	load_video
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos2'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos2 --hint-efi=hd0,msdos2 --hint-baremetal=ahci0,msdos2  <boot-uuid>
	else
	  search --no-floppy --fs-uuid --set=root <boot-uuid>
	fi
	echo	'Loading Linux 5.18.0-0.bpo.1-amd64 ...'
	linux	/vmlinuz-5.18.0-0.bpo.1-amd64 root=UUID=<system-uuid> ro  text iomem=relaxed
	echo	'Loading initial ramdisk ...'
	initrd	/initrd.img-5.18.0-0.bpo.1-amd64
}

How does the kernel know where to find the system-uuid? It is inside the LUKS partition. To see the UUID of the encrypted partition it would have to decrypt the LUKS partition first. How does it work?

Offline

#8 2022-09-07 12:43:15

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,153  

Re: [SOLVED] LUKS Full Disk Encryption

I don't know the details of how it works, but grub has modules for crypto and for luks. Look under /boot/grub/.

Yeah, I almost warned you about the double password entry. It's very slow, too. I should have said that I recommend it if that's what you really want. Another way to make /boot secure is to remove it from the hard disk and put it on a usb stick. Then you can't boot without the stick. (also inconvenient.)

Offline

#9 2022-09-07 17:48:18

rolfie
Member
Registered: 2017-11-25
Posts: 708  

Re: [SOLVED] LUKS Full Disk Encryption

unixdan22 wrote:

Which partitioning software is it in this documentation?

These are pictures taken from the standard installer in normal mode.

Online

#10 2022-09-07 17:49:30

rolfie
Member
Registered: 2017-11-25
Posts: 708  

Re: [SOLVED] LUKS Full Disk Encryption

unixdan22 wrote:

How does the kernel know where to find the system-uuid? It is inside the LUKS partition. To see the UUID of the encrypted partition it would have to decrypt the LUKS partition first. How does it work?

Have a look at /etc/crypttab. The contents of this file is one of the inputs for grub and the initramfs.

Online

#11 2022-09-08 08:02:48

xinomilo
Member
Registered: 2017-07-02
Posts: 282  

Re: [SOLVED] LUKS Full Disk Encryption

a guide for FDE including /boot : https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

Offline

#12 2022-09-09 10:31:09

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

fsmithred wrote:

I don't know the details of how it works, but grub has modules for crypto and for luks. Look under /boot/grub/.

Yeah, I almost warned you about the double password entry. It's very slow, too. I should have said that I recommend it if that's what you really want. Another way to make /boot secure is to remove it from the hard disk and put it on a usb stick. Then you can't boot without the stick. (also inconvenient.)

I think having /boot unencrypted is not really an issue for me, because it does not contain any personal data anyway. Sorry if the title was misleading.

Last edited by unixdan22 (2022-09-09 10:33:59)

Offline

#13 2022-09-09 10:40:00

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

Right now I have an unencrypted swap partition. What is the best way to also encrypt that?

Should I create / and swap partitions inside an LVM as rolfie has suggested or is it possible to create a swap file on the encrypted file system?

Offline

#14 2022-09-10 16:31:14

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,153  

Re: [SOLVED] LUKS Full Disk Encryption

The live installer would have made a swapfile in the root partition if you had not chosen to use the swap partition. So yes, it's possible to have a swapfile. To be sure, check to see if /swapfile already exists.

refractainstaller does the following, where bs=1024 and count=1048576:

        dd if=/dev/zero of=/target/swapfile bs="$swapfile_blocksize" count="$swapfile_count" ; check_exit 
        mkswap /target/swapfile ; check_exit 
        chmod 600 /target/swapfile

The values for bs and count are in /etc/refractainstaller in case anyone wants to change the size of the swapfile. Currently it's set to 256mb. And then you have to edit the swap entry in /etc/fstab. Mine looks like this:

/swapfile	none	swap	sw	0	0

Offline

#15 2022-09-11 09:14:44

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

I have created a swap file manually as you said and disabled the swap partition. But now the hibernate button in the XFCE logout menu is gone. How to enable hibernate with a swap file?
All the tutorials I found tell about installing and configuring the uswsusp package, but this package is missing in the Devuan repository.

Offline

#16 2022-09-11 10:18:23

fsmithred
Administrator
Registered: 2016-11-25
Posts: 2,153  

Re: [SOLVED] LUKS Full Disk Encryption

I've never tried to hibernate with a swapfile. There is a uswsusp module in the pm-utils package. I have no idea how you would use it. (dpkg-reconfigure uswsusp won't work)

$ apt-file find uswsusp
pm-utils: /usr/lib/pm-utils/module.d/uswsusp

Offline

#17 2022-09-11 10:23:38

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

rolfie wrote:

Any installer will do, there is nothing special to be done to make grub boot an encrypted root. I am using FDE with unencrypted /boot and an LVM in an encrypted partition for / and /swap for many years now, no issues. Legacy Bios or efi, mbr or gpt do not matter, all combinations work.

Does hibernate work with a swap partition inside an LVM?

Offline

#18 2022-09-11 10:56:35

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 162  

Re: [SOLVED] LUKS Full Disk Encryption

unixdan22 wrote:

Does hibernate work with a swap partition inside an LVM?

It does on my PC (AMD5600G, Chimaera, emulated legacy boot, no encryption, kernel 5.18.0-0.deb11.4-amd64. RAID1).

I'm still finding hibernation a bit flaky - sometimes it attempt a reboot and I have to kill it with the power button (but then still resumes OK subsequently).

If you were to try to hibernate to a swapfile one obvious, bur solvable, problem is that you would have to make it significantly larger than 256Mb as it has to have space for what's in your RAM).

Last edited by Marjorie (2022-09-11 11:04:09)

Online

#19 2022-09-23 09:07:15

unixdan22
Member
Registered: 2022-08-15
Posts: 14  

Re: [SOLVED] LUKS Full Disk Encryption

I have created an encrypted LVM with logical volumes for swap and root. /boot is unencrypted on another partition. /etc/crypttab and /etc/fstab look as follows.

/etc/crypttab:

lvm_crypt UUID=<luks-uuid> none luks

/etc/fstab:

/dev/vg00/lvol_devuan_swap	none	swap	sw	0	0
/dev/vg00/lvol_devuan_system	/	ext4	defaults,noatime	0	1
UUID=<boot-uuid>	/boot	ext4	defaults,noatime0	2

I had to update-initramfs -u -k all and update-grub.

Now it works without any problems! I can also hibernate and resume from the encrypted swap partition.

Thank you guys for all your help!

Offline

Board footer