View previous topic :: View next topic |
Author |
Message |
elover Apprentice
Joined: 20 Nov 2019 Posts: 170 Location: Spain
|
Posted: Sat Jul 06, 2024 12:01 pm Post subject: What would be the correct way to make an encrypted installat |
|
|
What would be the correct way to make an encrypted installation?
I currently have five SDD of different size, I don't know whether to do linear raid, or a LVM set with luks, three volumes root, home and swap.
The root would use btrfs, the home xfs, but now I don't know which luks to use, one or two?
I would also like to use secure boot, I can't decide whether to use systemd Openrc as init, I have used sbctl and I have had no problems, now I don't know if activating module signing, I can have video with nvidia or they sign with sbct, I have no idea.
If I use a fido2 key or smart card I understand that I have to use systemd? the manufacturer has a guide with fido2 + pin, is it possible to use instead of pin the fingerprint?
I currently have five SDD of different size, I don't know whether to do linear raid, or a LVM set with luks, three volumes root, home and swap.
The root would use btrfs, the home xfs, but now I don't know which luks to use, one or two?
I would also like to use secure boot, I can't decide whether to use systemd Openrc as init, I have used sbctl and I have had no problems, now I don't know if activating module signing, I can have video with nvidia or they sign with sbct, I have no idea.
If I use a fido2 key or smart card I understand that I have to use systemd? the manufacturer has a guide with fido2 + pin, is it possible to use instead of pin the fingerprint?
Finally, do I have to activate the uki, refind, dracut and modules-sign flags? |
|
Back to top |
|
|
Shadow_Fury Apprentice
Joined: 20 Apr 2021 Posts: 184 Location: 11.435765792823453, 143.05926743686274
|
Posted: Sat Aug 17, 2024 8:43 pm Post subject: |
|
|
elover wrote: |
The root would use btrfs, the home xfs, but now I don't know which luks to use, one or two?
|
Modern grub supports luks2, so i'd recommend that (assuming you're using grub).
elover wrote: |
If I use a fido2 key or smart card I understand that I have to use systemd? the manufacturer has a guide with fido2 + pin, is it possible to use instead of pin the fingerprint?
|
Yes, you do have to use systemd, unless you're prepared to build a custom initramfs to unlock your partitions (doable, and quite fun if you enjoy tinkering, but it can take a while, and tools that can talk to hardware keys are few and far between, so it can be somewhat difficult.) whether you can use the fingerprint option, i can't say for sure. This will depend on whether you can configure your key to use it as your authentication factor over the PIN.
elover wrote: |
I would also like to use secure boot, I can't decide whether to use systemd Openrc as init, I have used sbctl and I have had no problems, now I don't know if activating module signing, I can have video with nvidia or they sign with sbct, I have no idea.
|
This is somewhat more complex. if you just want UEFI secure boot, you can enroll your bootloader's EFI file (usually located in /boot/efi/EFI or similar) through the UEFI menu as a valid hashed file. the downside it that whenever you rebuild it you'll have to re-enroll the file. You could also enroll your own signing keys with your UEFI, though this is more complex and i'd recommend finding a good guide; that way, you can re-sign the bootloader's EFI file when you re-build it inside the OS (though keeping the private key on the system 100% of the time is inadvisable). As for systemd vs openRC, this shouldn't matter for in terms of just enabling UEFI secure boot, since that only touches the EFI file. Past that, it's the responsibility of said EFI file and everything downstream to enforce signatures.
to use a fully verified boot chain, it gets more complicated. it can be done (see here for how to do it with GRUB), but you may run into issues depending on how custom your Gentoo install is. Finally, if you want to enforce kernel module signing (a good thing to do), you will have to sign binary drivers, like nvidia's, for them to load. see here for how to do that (scroll down to "Kernel module signing") .
I hope this helps you
-S |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 489
|
Posted: Sun Aug 18, 2024 8:35 am Post subject: |
|
|
Shadow_Fury wrote: | Modern grub supports luks2, so i'd recommend that (assuming you're using grub). |
And does Grub support all PBKDFs? As far as I know argon is not supported, which is the default for LUKS2.
But it looks like elover does not intend to encrypt /boot, so Grub does not need to understand LUKS at all. But I would opt for FDE with /boot, instead of a Do-it-yourself-Secure-Boot. |
|
Back to top |
|
|
Shadow_Fury Apprentice
Joined: 20 Apr 2021 Posts: 184 Location: 11.435765792823453, 143.05926743686274
|
Posted: Sun Aug 18, 2024 11:15 am Post subject: |
|
|
sMueggli wrote: | Shadow_Fury wrote: | Modern grub supports luks2, so i'd recommend that (assuming you're using grub). |
And does Grub support all PBKDFs? As far as I know argon is not supported, which is the default for LUKS2.
|
it doesn't yet, but you can set the PBKDF when making a partition, and migrating PBKDFs is simpler than migrating luks1 to luks2 (in my experience) |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|