Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
What would be the correct way to make an encrypted installat
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
elover
Apprentice
Apprentice


Joined: 20 Nov 2019
Posts: 170
Location: Spain

PostPosted: Sat Jul 06, 2024 12:01 pm    Post subject: What would be the correct way to make an encrypted installat Reply with quote

What would be the correct way to make an encrypted installation?

I currently have five SDD of different size, I don't know whether to do linear raid, or a LVM set with luks, three volumes root, home and swap.

The root would use btrfs, the home xfs, but now I don't know which luks to use, one or two?


I would also like to use secure boot, I can't decide whether to use systemd Openrc as init, I have used sbctl and I have had no problems, now I don't know if activating module signing, I can have video with nvidia or they sign with sbct, I have no idea.

If I use a fido2 key or smart card I understand that I have to use systemd? the manufacturer has a guide with fido2 + pin, is it possible to use instead of pin the fingerprint?


I currently have five SDD of different size, I don't know whether to do linear raid, or a LVM set with luks, three volumes root, home and swap.

The root would use btrfs, the home xfs, but now I don't know which luks to use, one or two?


I would also like to use secure boot, I can't decide whether to use systemd Openrc as init, I have used sbctl and I have had no problems, now I don't know if activating module signing, I can have video with nvidia or they sign with sbct, I have no idea.

If I use a fido2 key or smart card I understand that I have to use systemd? the manufacturer has a guide with fido2 + pin, is it possible to use instead of pin the fingerprint?


Finally, do I have to activate the uki, refind, dracut and modules-sign flags?
Back to top
View user's profile Send private message
Shadow_Fury
Apprentice
Apprentice


Joined: 20 Apr 2021
Posts: 196
Location: 11.435765792823453, 143.05926743686274

PostPosted: Sat Aug 17, 2024 8:43 pm    Post subject: Reply with quote

elover wrote:

The root would use btrfs, the home xfs, but now I don't know which luks to use, one or two?


Modern grub supports luks2, so i'd recommend that (assuming you're using grub).

elover wrote:

If I use a fido2 key or smart card I understand that I have to use systemd? the manufacturer has a guide with fido2 + pin, is it possible to use instead of pin the fingerprint?


Yes, you do have to use systemd, unless you're prepared to build a custom initramfs to unlock your partitions (doable, and quite fun if you enjoy tinkering, but it can take a while, and tools that can talk to hardware keys are few and far between, so it can be somewhat difficult.) whether you can use the fingerprint option, i can't say for sure. This will depend on whether you can configure your key to use it as your authentication factor over the PIN.

elover wrote:

I would also like to use secure boot, I can't decide whether to use systemd Openrc as init, I have used sbctl and I have had no problems, now I don't know if activating module signing, I can have video with nvidia or they sign with sbct, I have no idea.


This is somewhat more complex. if you just want UEFI secure boot, you can enroll your bootloader's EFI file (usually located in /boot/efi/EFI or similar) through the UEFI menu as a valid hashed file. the downside it that whenever you rebuild it you'll have to re-enroll the file. You could also enroll your own signing keys with your UEFI, though this is more complex and i'd recommend finding a good guide; that way, you can re-sign the bootloader's EFI file when you re-build it inside the OS (though keeping the private key on the system 100% of the time is inadvisable). As for systemd vs openRC, this shouldn't matter for in terms of just enabling UEFI secure boot, since that only touches the EFI file. Past that, it's the responsibility of said EFI file and everything downstream to enforce signatures.

to use a fully verified boot chain, it gets more complicated. it can be done (see here for how to do it with GRUB), but you may run into issues depending on how custom your Gentoo install is. Finally, if you want to enforce kernel module signing (a good thing to do), you will have to sign binary drivers, like nvidia's, for them to load. see here for how to do that (scroll down to "Kernel module signing") .

I hope this helps you

-S
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 500

PostPosted: Sun Aug 18, 2024 8:35 am    Post subject: Reply with quote

Shadow_Fury wrote:
Modern grub supports luks2, so i'd recommend that (assuming you're using grub).


And does Grub support all PBKDFs? As far as I know argon is not supported, which is the default for LUKS2.

But it looks like elover does not intend to encrypt /boot, so Grub does not need to understand LUKS at all. But I would opt for FDE with /boot, instead of a Do-it-yourself-Secure-Boot.
Back to top
View user's profile Send private message
Shadow_Fury
Apprentice
Apprentice


Joined: 20 Apr 2021
Posts: 196
Location: 11.435765792823453, 143.05926743686274

PostPosted: Sun Aug 18, 2024 11:15 am    Post subject: Reply with quote

sMueggli wrote:
Shadow_Fury wrote:
Modern grub supports luks2, so i'd recommend that (assuming you're using grub).


And does Grub support all PBKDFs? As far as I know argon is not supported, which is the default for LUKS2.


it doesn't yet, but you can set the PBKDF when making a partition, and migrating PBKDFs is simpler than migrating luks1 to luks2 (in my experience)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum