Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Question about Full Disk Encryption wiki entry
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
L1NTHALO
n00b
n00b


Joined: 27 Aug 2024
Posts: 24
PostPosted: Wed Dec 04, 2024 12:09 pm    Post subject: Question about Full Disk Encryption wiki entry Reply with quote
Hey,

trying to encrypt my laptop with FDE and I'm currently following the wiki entry for FDE (https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch).
I'm confused by some parts:

1. I want to create a detached header on an USB drive with which to encrypt the disk. I've created that header but if I now create a key file for that disk, it says it isn't encrypted (/dev/nvme0n1p1 is not a valid LUKS device).
2. The wiki says to create all your headers, key files etc but then after that you should format your disks? What am I missing?
3. What do I need an Extended Boot Partition for? Is it only for MBR? Will putting the detached header, key files, initramfs and kernel image on the EFI drive work with grub?
4. Do I need GRUB or can you also do the whole process with EFISTUB?

Thank in advance!
Back to top
View user's profile Send private message
GDH-gentoo
Veteran
Veteran


Joined: 20 Jul 2019
Posts: 1734
Location: South America
PostPosted: Wed Dec 04, 2024 2:13 pm    Post subject: Reply with quote
L1NTHALO wrote:
1. I want to create a detached header on an USB drive with which to encrypt the disk. I've created that header but if I now create a key file for that disk, it says it isn't encrypted (/dev/nvme0n1p1 is not a valid LUKS device).

Creating the key file comes first, it must exist before you create the LUKS container, because you need to tell cryptsetup luksFormat about it.

L1NTHALO wrote:
2. The wiki says to create all your headers, key files etc but then after that you should format your disks? What am I missing?

After you create the LUKS container, you must open it with cryptsetup open and create a filesystem. That's section 6 of the Wiki article.

L1NTHALO wrote:
3. What do I need an Extended Boot Partition for? Is it only for MBR? Will putting the detached header, key files, initramfs and kernel image on the EFI drive work with grub?

No, the Wiki article talks about an EFI System Partition (ESP), so it assumes a UEFI installation. The Extended Boot Partition is mounted at /boot and holds kernel, initramfs and GRUB stuff (including its configuration file). I suppose that the article chose that partition layout to make it easier to do the installation of GRUB, kernel and initramfs according to the Handbook.

Yes, all those could be in the ESP I believe.

L1NTHALO wrote:
4. Do I need GRUB or can you also do the whole process with EFISTUB?

You could in theory, but if you are using a separate initramfs, you rely heavily on the UEFI firmware's ability to correctly handle Boot#### variables and pass an initrd= kernel parameter to the EFI stub.

Otherwise, you have to embed the initramfs in the kernel, and that requires customizing the kernel's configuration, as shown in section 7.3 of that Wiki article.
_________________
NeddySeagoon wrote:
I'm not a witch, I'm a retired electronics engineer :)
Ionen wrote:
As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though :)


Last edited by GDH-gentoo on Wed Dec 04, 2024 2:34 pm; edited 2 times in total
Back to top
View user's profile Send private message
zen_desu
n00b
n00b


Joined: 25 Oct 2024
Posts: 36
PostPosted: Wed Dec 04, 2024 2:20 pm    Post subject: Reply with quote
Everything stated above is accurate and true. there are multiple partition schemes shown on the rootfs encryption page, I plan to do something similar with the FDE page. A /boot partition if you have an ESP is entirely optional. Some people prefer this because it means you can use fancier filesystem things (fancier than fat32 at least).

Concerning header files and key files, those could be stored on an ESP but it's worth noting that ESPs are generally easily readable.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
sMueggli
Guru
Guru


Joined: 03 Sep 2022
Posts: 503
PostPosted: Wed Dec 04, 2024 5:29 pm    Post subject: Reply with quote
What is your definition of FDE? Do you want to encrypt kernel and initramfs also?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy