Difference between revisions of "Linux: Full Disk Encryption"
From fit-PC wiki
(→Automated Decryption) (change visibility) |
(→Installation) (change visibility) |
||
Line 19: | Line 19: | ||
== Installation == | == Installation == | ||
* Follow the standard installation procedure - choose timezone, hostname, username, password etc. | * Follow the standard installation procedure - choose timezone, hostname, username, password etc. | ||
− | * In the "Partition disks" dialog | + | * In the "Partition disks" dialog you can choose automatic or manual partitioning scheme |
− | * | + | ** Automatic - select "Guided - use entire disk and set up encrypted LVM" |
− | ** #1, size 200.0 MB, use as "EFI System Partition" | + | *** Partitions scheme will be defined automatically |
− | ** #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot | + | *** You will be asked for passphrase of encrypted disk |
− | ** #3, size 3.0 GB, use as "physical volume for encryption" | + | ** Manual (advanced) , for example: |
− | ** Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted | + | *** #1, size 200.0 MB, use as "EFI System Partition" |
− | ** You will be asked to enter encryption passphrase for partition #3 | + | *** #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot |
− | ** In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point / | + | *** #3, size 3.0 GB, use as "physical volume for encryption" |
+ | *** Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted | ||
+ | *** You will be asked to enter encryption passphrase for partition #3 | ||
+ | *** In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point / | ||
* Continue with package manager, software selection etc. | * Continue with package manager, software selection etc. | ||
* Disconnect the installation media and reboot | * Disconnect the installation media and reboot | ||
Line 32: | Line 35: | ||
* Login using previously selected username and password. | * Login using previously selected username and password. | ||
− | * NOTE: The PATH | + | * NOTE: The PATH definition in the /etc/profile should be fixed: |
− | + | # /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) | |
+ | # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). | ||
+ | |||
+ | PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||
+ | export PATH | ||
+ | ... | ||
== Automated Decryption == | == Automated Decryption == |
Revision as of 06:51, 1 July 2019
Overview
The idea is encrypt partition with root filesystem using LUKS and store the keys in the TPM.
During boot user does not have to enter a decryption password, partition will be automatically decrypted using the keys from TPM.
It's a open-source alternative to Windows BitLocker.
- LUKS (Linux Unified Key Setup) - is a full volume encryption feature, the standard for Linux hard disk encryption
- TPM (Trusted Platform Module) - is dedicated micro-controller designed to secure hardware through integrated cryptographic keys
List of tested devices
The guide was tested on a system with the specs listed below, but should be easily adaptable.
- Device: fitlet2
- OS: Debian GNU/Linux testing (buster)
- ISO: debian-buster-DI-rc2-amd64-netinst.iso
- Kernel: 4.19.0-5-amd64
- BIOS: 09/17/2018 American Megatrends Inc. FLT2.0.46.01.00
- TPM: Firmware based TPM 2.0 implementation
Installation
- Follow the standard installation procedure - choose timezone, hostname, username, password etc.
- In the "Partition disks" dialog you can choose automatic or manual partitioning scheme
- Automatic - select "Guided - use entire disk and set up encrypted LVM"
- Partitions scheme will be defined automatically
- You will be asked for passphrase of encrypted disk
- Manual (advanced) , for example:
- #1, size 200.0 MB, use as "EFI System Partition"
- #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot
- #3, size 3.0 GB, use as "physical volume for encryption"
- Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted
- You will be asked to enter encryption passphrase for partition #3
- In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point /
- Automatic - select "Guided - use entire disk and set up encrypted LVM"
- Continue with package manager, software selection etc.
- Disconnect the installation media and reboot
- You will be asked for passphrase of encrypted disk, enter it manually, then boot process will continue
- Login using previously selected username and password.
- NOTE: The PATH definition in the /etc/profile should be fixed:
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" export PATH ...
Automated Decryption
- Clevis is a framework for automated decryption of data or automated unlocking of LUKS volumes.
$ su Password: $ apt install clevis-tpm2 clevis-luks clevis-dracut
- Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try!
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt $ cat test.txt $ cat test.txt | clevis decrypt tpm2 Hello World!
- Now it is time to automatically decrypt the existing encrypted root file system.
# Try this command to show some information about the cryptographic setup of encrypted partition: $ cryptsetup luksDump /dev/sda3