Question regarding encryption for laptops

[Ryonez]

So, after having sorted out what init system to use, I'm left with only one other issue to sort before I install Gentoo onto my laptop.

Encryption.

I properly wouldn't bother with this on a desktop (ok maybe profile encryption there) however as a laptop isn't always going to be in a secure environment, I feel it's imported to use.

Heads up, I know a fair bit when it comes to encryption on windows having used bitlock, truecrypt and veracrypt. My knowledge on cmdline and linux use is rather pitiful.
I've only dealt with profile encryption on my ubuntu server, but dropped that after password issue over ssh forced me to chroot and replace root and user passwords.
Ubunutu hides a lot of the background from the user, so all I know is lvm is important somewhere.
One more things is I'm aware of at least two methods possible on linux. Profile encryption and system/drive encryption.

Could some please explain how encryption works with Gentoo?

[ian.au]

Did you read https://wiki.gentoo.org/wiki/Dm-crypt
and https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
There should be enough info to get you going.

[The Doctor]

I'll add that in general on Gentoo encryption is only as hard or as fancy as you make it. I encrypted my laptop using luks with serpent and lvm. Basically, all it did was add a fairly simple step to partitioning the disks. Writing an init can be more of a challenge, but it still doesn't need to really do much so a ridiculously simple one will suffice. All it needs to do is ask for a password and switch to the real root.

If you want to get fancy, you can make it ask for a password or check for a specific thumb drive placed in a specific USB port containing a specific key file that doubles as an innocuous image in a family album. That can speed up the boot and protect your password, but remember, security and usability are inverses of each other and encryption does nothing if you leave the computer on.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.

[Ryonez]

[Hu]

The most convenient approach for encryption is to have:

• sdX1 /boot
• sdX2 LUKS
  • LVM
    • /
    • /home (if separate from / -- recommended, but not required)
    • /var (if separate from / -- recommended, but not required)

Feel free to reorder the volumes within the LVM node. The important part is that unlocking the LUKS partition exposes the LVM, so that there is one LUKS key for all the filesystems. The other choice is to go:

• sdX1 /boot
• sdX2 LVM
  • LUKS
    • /
  • LUKS
    • /home
  • LUKS
    • /var

This design puts each filesystem in its own LUKS container, meaning you need a separate password or key for each filesystem.

In either case, you will want a swap volume if you expect to use hibernation. If you use swap, you should put it inside a LUKS container too. You can follow either of the two models above for where to put swap. I put it outside the LVM, so that I do not need to worry about the resume kernel accessing the LVM at all. That would produce this arrangement:

• sdX1 /boot
• sdX2 LUKS
  • LVM
    • /
    • (others omitted)
• sdX3 LUKS
  • swap

Again, reorder individual partitions as you like.

[Roman_Gruber]

[Ryonez]

To Hu, thank you for the diagrams. One question about swap, would that be needed for sleep mode as well?

To tw04l124 a couple of things.

1: As you already know from my other post regarding the init system, I've already chosen OpenRC. I don't need to be told what to use.
Granted my wording above did make it seems like a question. I've made it clearer and apologize if it caused confusion.

2: You're suggestion for a setup is a tad over the top. I'm not really interested in dual booting unless there is a very good reason too. And having an insecure OS installed would allow for a point to potentially attack from and chroot from.

3:

[Roman_Gruber]

[Ryonez]

Thanks tw04l124,

Your explanation for why you do a dual boot was informative. cheers.
I think I'll stick with just having Gentoo on it. The laptop wouldn't handle me playing media on it while Gentoo is building(Got another 2 computers to play stuff on anyways) and maintaining Mint manually down the road would be an extra hassle for me.

About LVM. I've found this page: https://wiki.gentoo.org/wiki/LVM#Features
After having a look though it, I'm not really sure if I'd get any benefits from having LUKS inside the LVM on a laptop. Could you please point out what features you see of being a benefit?

Regarding using a genkernel initramfs, that make a lot of sense. I'll probably go through what it makes and modify it as I need.

[Roman_Gruber]

Basically I was able to move my / while I was working. Than I physically moved it and rebooted and had my installation on an SSD.

Luks is unflexible. With lvm you can move the data junks as you like. Thats the reason why you hsould have luks inside an lvm thing and not lvm inside luks.
And you can make software raid and whatever you like afaik. but these are detail knowledge. I have not tweaked my lvm for ages, I may tell you half facts. Those linux server pages explain lvm quite in details but you need to find a good source for that.

Assume you have 3 harddiscs and you want to upgrade one harddisc / replace it. You just need to connect the new harddisc via usb (works most of the time) and move the physical extents, thats it. after you moved all of your physical extents that particular harddisc is unused and can be removed, the new harddisc needs to be phyiscal moved and thats it.

AFAIK you can also physically make a duplicate of your lvm setup. thats a real backup and not those fishy scripts or stage 4 where you need to bother to create partions and such. you just create a duplicate which you can just swap drives ...

As i mentioned eaerlier, please refer to the docs. I have not read / used about lvm for a few years now. My setup dates back to 2012 or earlier

I will never set up any of my boxes without an lvm setup. It has too many benefits and moving the data junks with ordinary file systems is not that easy as it seems.

e.g. https://www.howtoforge.com/linux_lvm_snapshots

[Ryonez]

[Hu]

Swap is not required to use S3 sleep, since RAM remains powered and therefore does not need to be written to swap. However, depending on the amount of RAM in the system, you may want a swap device for general usage. That swap device can do double duty as the hibernation area, provided that you do not hibernate while swap is heavily used.

[The Doctor]

Do keep in mind that if you sleep or hyphenate you are undoing your encryption protection. The protection only works so long as they have to decrypt the drive to read it. If they steel it with the key they can see everything you are trying to protect.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.

[HMC]

The scheme I use on all of my systems is full disk encryption with LVM on a LUKS encrypted DISK and boot from a USB key. The disk does not have a partition table, no volumes are visible and everything is encrypted except the LUKS header.

The commands are probably the simplest and most self explanatory howto: Fix it as required. The following is for a key that is entered manually during the boot process to open the drive.

Erase the disk:
dd if=/dev/urandom of=/dev/sda bs=1M
Wait a few days or there are other ways to do it including encrypting the disk with a temporary key and writing from /dev/zero...

DO NOT use fdisk.

Setup encrypted disk
cryptsetup -c aes-xts-plain -h whirlpool -s 512 luksFormat /dev/sda use the encryption scheme of your choice - this was chosen randomly for this example. You'll be prompted to type in a key.
cryptsetup luksOpen /dev/sda luks Enter the key.
pvcreate /dev/mapper/luks
vgcreate lvm /dev/mapper/luks
vgscan --mknodes
vgchange -ay
lvcreate -L<disk size in GB>G -n root lvm

Simple volume scheme on a 320GB(?) drive:
lvcreate -L40G -n root lvm
lvcreate -L4G -n swap lvm
lvcreate -L254G -n home lvm

File systems and mount:
mkfs.ext4 /dev/lvm/root
mkfs.ext4 /dev/lvm/home
mkswap /dev/lvm/swap
swapon /dev/lvm/swap
mount /dev/lvm/root /mnt/gentoo
mkdir /mnt/gentoo/home
mkdir /mnt/gentoo/boot
mount /dev/lvm/home /mnt/gentoo/home

Now off you go with the handbook...

To remount after a reboot (in case there are problems)

cryptsetup luksOpen /dev/sda lvm
vgscan --mknodes
vgchange -ay
mount /dev/lvm/root /mnt/gentoo
mount /dev/lvm/home /mnt/gentoo/home
swapon /dev/lvm/swap
then follow the handbook to chroot....


Some packages:
sys-fs/cryptsetup
sys-fs/lvm2
genkernel

Add support for LVM and DM-Crypt.

Multiple devices driver support (RAID and LVM)
<*> Device mapper support
[ ] Device mapper debugging support
<*> Crypt target support

CONFIG_BLK_DEV_DM=y
# CONFIG_DM_DEBUG is not set
CONFIG_DM_CRYPT=y

Cryptographic API
<*> SHA1 digest algorithm
<*> SHA224 and SHA256 digest algorithm
<*> XTS support (EXPERIMENTAL)
<*> AES cipher algorithms

CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_X86_64=y
whirlpool

Prepare a USB key:

fdisk /dev/sdX
mkfs.ext2 /dev/sdXn
e2label /dev/sdXn GENTOO_BOOT

fstab something like this:
LABEL=GENTOO_BOOT /boot ext2 noauto,noatime 1 2
/dev/mapper/lvm-root / ext4 noatime 0 1
/dev/mapper/lvm-swap none swap sw 0 0
/dev/mapper/lvm-home /home ext4 noatime 0 1


This method is supported by Genkernel so there is no rooting around on updates.

/etc/default/grub will want some kernel parameters:

crypt_root=/dev/sda root=/dev/mapper/lvm-root dolvm rootfstype=ext4
and in the default section... real_resume=/dev/mapper/lvm-swap


genkernel.conf will want some options:
LVM="yes" <<-- Important
LUKS="yes" <<-- Important
INSTALL="yes"
DISKLABEL="yes"
BOOTLOADER="grub2"


More advanced subjects are LUKS header relocation and key files...

Cheers

[Roman_Gruber]

Most unflexible setup out there.

you are unable to move your data, because hole disk is luks

and booting from usb stick is kinda not convinient. those who are knowledgeable enough do not need your key anyway so why bother booting from a fragile usb port?

encryption is only that you can dump your harddisc with not worring that someone may access your data. In case your harddisc does not work anymore. could be defective pcb but the data is still there. on ssd / hdd the firmware unmark sectors and than you have your data in plain there because you did not used encryption inthe first place when writing your data.

encryption is for that case that a windows noob want to use your device without your knowledge.

anyone else can dump the header and start cracking anyway the pass..

in your luks header htere is everything you start reverse engineering and afaik there is it several times on your disk.

when you are paranoid about your /boot, you should hash it and compare it on every bootup, much better.

Have you ever thought which spyware are in those Bios. especially lenovo had several issues with that. anyone with knowledge can compromise your hdd / bios whatever of your hardware and you will never see it. the point of these usb keys, to have grub and the kernel on it, is as useless as anything. make a hash sum and compare it after bootup, when you do not trust your environment.

[frostschutz]

[HMC]

[HMC]

[Ryonez]

This is a lot of information and ideas on how to do this.

Thank you, it's gonna take me a while, but after I try different things I'll post back here to let you know what I chose to do and why.

Current things to try:

1->

• sda1 /boot
• sda2 LVM
  • LUKS
    • /
    • /home
    • /var

2->

• sda1 /boot
• sda2 LUKS
  • LVM
    • /
    • /home
    • /var

Because it's to go on the laptop, I'm learning towards 2. This laptop doesn't support usb boot(at least I'm pretty sure it doesn't).
And when the LUKS volume is unlocked, the LVM features should all be available.

If this discussion has shown anything, it's that linux can bloody well do anything. Damn all those windows only games...

[Roman_Gruber]

Well wine may be your friend for some windows games.

I do not get hte point in hidng a partition. Why should anyone has a partition in a device without beeing used?

I never used HDD => LUKS => LVM So I can not say if the advanced features of lvm are such easy to use like in my setup HDD => LVM => LUKS => DATA.
I value Frostschutz opinion because he knew a lot about these things before I even used LUKS.

It just depends on the usability and paranoia. But I really doubt that these days you will get any decent hardware which you can trust. More annoyingly those lenovo notebooks have some open bios open source thing which may work, but lenovo is known for its spyware in bios. Others like Dell, Samsung are suspect to that.

Anyway up to you waht you choose.

I realized that it*s only feasable to encrypt the box as much that the ordinary windows noob, scriptkiddy won*t be able to access it. The government and others will point a gun at your head and ask for the usb key or the passphrase, so what ...

[Ryonez]

[szatox]

I'd go with lvm inside luks simply for convenience it offers. It's basicaly "launch and forget about LUKS".
The oposite is kinda "you know when you need it", like when you want to have a part of filesystem protected.

[Ryonez]

Right, I'm sorting out the Virtual Machine now. Could someone help with a guide for this set-up please?

• sda1 /boot
• sda2 LUKS
  • LVM
    • /
    • swap

I've got around 6 tabs open all with different information up, lot of it was written ages ago and my headache is getting worse...

I'd really appreciate it!

[khayyam]