Jump to: navigation, search

Linux: Full Disk Encryption

1,913 bytes added, 13:24, 30 June 2019
/* List of tested devices */
* BIOS: 09/17/2018 American Megatrends Inc. FLT2.
* TPM: Firmware based TPM 2.0 implementation
== Installation ==
* Follow the standard installation procedure - choose timezone, hostname, username, password etc.
* In the "Partition disks" dialog select the following partitioning method "Guided - use entire disk and set up encrypted LVM"
* NOTE: advanced users can implement other partitioning schemes manually, for example:
** #1, size 200.0 MB, use as "EFI System Partition"
** #2, size 300.0 MB, use as "EXT4 journaling file system", mount point /boot
** #3, size 3.0 GB, use as "physical volume for encryption"
** Go to the "Configuring encrypted volumes" and select partition #3 as device to be encrypted
** You will be asked to enter encryption passphrase for partition #3
** In the "Partition disks" find new appeared encrypted volume #1, use it as "EXT4 journaling file system", mount point /
* Continue with package manager, software selection etc.
* Disconnect the installation media and reboot
* You will be asked for passphrase of encrypted disk, enter it manually, then boot process will continue
* Login using previously selected username and password.
* NOTE: The PATH variable the Debian installation should be fixed:
** Open /etc/profile and set PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
== Automated Decryption ==
* Clevis is a framework for automated decryption of data or automated unlocking of LUKS volumes.
$ su
$ apt install clevis-tpm2 clevis-luks clevis-dracut
* Test the TPM encryption module, the following example encrypts the words “Hello World!” and writes them to test.txt. Give it a try!
$ echo Hello World! | clevis encrypt tpm2 '{}' > test.txt
$ cat test.txt
$ cat test.txt | clevis decrypt tpm2
Hello World!
* Now it is time to automatically decrypt the existing encrypted root file system.
# Try this command to show some information about the cryptographic setup of encrypted partition:
$ cryptsetup luksDump /dev/sda3