True Full Disk Encryption On Linux

Publish Date:  Last Update:
Tags:guide linux security
697 words, 4 minute(s) to read.

My friends laugh at me when they are told that I have to put in 4 passwords with ~18 characters each to login into my computer. I laugh back at them, wishing them joy with Ads in the start-menu.

In this article, we will discuss true full disk encryption. Everything, including having the kernel encrypted using LUKS. I personally found difficulty in finding good documentation detailing how to set-up disk encryption. Hopefully this guide would help someone out there.

Introduction

We will be installing Artix Linux🔗, because this is what I use and recommend (not for everyone). This tutorial should work using any distro that allows you to select where to install the system. In the end we would have a bootable UEFI system where the user is prompted for a password to unlock the /boot/ partition, then another prompt for the main partition. The reason for this seperation is that GRUB, at least with my testing (2021-08), does not officially (?) support LUKS2 formatting.

$ lsblk
NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                8:0    0 931.5G  0 disk  
├─sda1             8:1    0   512M  0 part  
├─sda2             8:2    0     2G  0 part  
└─sda3             8:3    0   929G  0 part  
  └─hdd          254:0    0   929G  0 crypt 
    ├─vol-root   254:1    0   150G  0 lvm   /
    ├─vol-home   254:2    0   300G  0 lvm   /home
    ├─vol-data   254:3    0   421G  0 lvm   /data
    ├─vol-swap   254:4    0     8G  0 lvm   [SWAP]

This would be the final result. LVM over LUKS2 for the main (/dev/sda3) partition, LUKS1 for /dev/sda2, and the UEFI disk on /dev/sda1.

I am not responsible for any loss of data that occurs because you irresponsibly ran any command.

Flash your ISO into your USB, turn off your device, plug the USB in, boot into the USB, and follow this guide from another device.

Partitioning the Disk

Following this would irreversibly erase your whole disk. First, start by identifying the disk name. Run lsblk, find your disk name by its known space. I from hereafter use /dev/sda as the installation hard-disk. Using your favourite disk editing tools🔗, do the following tasks:

Set up the boot disk, then the main disk:

$ cryptsetup luksFormat --type luks1 /dev/sda2
$ cryptsetup luksFormat --type luks2 /dev/sda3

Format the boot disk:

$ cryptsetup open /dev/sda2 boot-crypt
$ mkfs.ext4 /dev/mapper/boot-crypt

Format the main disk as LVM:

$ cryptsetup open /dev/sda3 hdd
$ pvcreate /dev/mapper/hdd
$ vgcreate vol /dev/mapper/hdd
$ lvcreate -L[your / size] -n root vol
$ lvcreate -L[your /home size] -n home vol
$ lvcreate -L[your /data size] -n data vol
$ mkfs.ext4 /dev/vol/root
$ mkfs.ext4 /dev/vol/home
$ mkfs.ext4 /dev/vol/data

Your disk should be ready for installation!

Artix Installation

This section won’t hold your hand installing a full Artix system. I will just go over configuring the disk. mount your horses and go chrooting!

$ mount /dev/vol/root /mnt/
$ mkdir -p /mnt/home/
$ mount /dev/vol/home /mnt/home/
$ mkdir -p /mnt/boot/EFI
$ mount /dev/sda1 /mnt/boot/EFI
$ mount /dev/mapper/boot-crypt /mnt/boot/
$ mkdir -p /mnt/data
$ mount /dev/vol/data /mnt/data
$ lsblk # check if everything is fine
$ # After bootstrapping Artix Linux into /mnt, don't forget to configure fstab!
$ artix-chroot /mnt/
$ # Continue installing the system, skipping GRUB for the next section

GRUB Bootloader Installation & Configuration

This section assumes that you are already chrooted. Install GRUB:

$ pacman -S grub efibootmgr

Set-up GRUB & mkinitcpio for encryption:

$ vi /etc/default/grub
# Change the following:
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=[YOUR LUKS PARTITION UUID]"
GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"
GRUB_ENABLE_CRYPTODISK=y
$ grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub
$ vi /etc/mkinitcpio.conf
# Change the following:
HOOKS=(.. lvm2 encrypt)

Finally, configure GRUB:

$ grub-mkconfig -o /boot/grub/grub.cfg

Make sure you run mkinitcpio, do so by updating your kernel pacman will update your initcpio automatically, or run this:

$ mkinitcpio -P

Congratz, you should have a true full disk encryption system!

Conclusion

Full disk encryption should not be hard to setup, try it out in a VM before converting all of your machines!

Copyright © 2022 ayham
Subscribe via RSS.
Website Details.