LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 03-31-2021, 06:16 PM   #1
lancsuk
Member
 
Registered: Jul 2019
Location: Burnley / UK
Distribution: Slackware current
Posts: 81

Rep: Reputation: 42
Uefi and full disk encryption with lvm on luks with luks keyfile


Hiya guys,

just for interest I have installed Slackware current on a vm with full disk encryption with lvm on luks.

Code:
sda1:      ef02    Bios   5MB
sda2:      ef00    EFI    160M
sda3:      8309    LUKS   100%FREE

Code:
cryptsetup luksFormat --type luks1 /dev/sda3
cryptsetup luksOpen /dev/sda3 slackpv0

pvcreate /dev/mapper/slackpv0
vgcreate slack /dev/mapper/slackpv0
lvcreate -C y -L 4GB -n swap slack
lvcreate -C n -L 20GB -n root slack
lvcreate -C n -l 100%FREE -n home slack
continue the installation with setup

Code:
cd /mnt
chroot /mnt /bin/bash -l
Code:
dd bs=512 count=4 if=/dev/random of=/root/slackpv.keyfile iflag=fullblock
chmod 000 /root/slackpv.keyfile
cryptsetup -v luksAddKey /dev/sda3 /root/slackpv.keyfile
Code:
cd /boot

rm initrd.gz

mkinitrd -c -k 5.10.27 -m ext4 -f ext4 -r /dev/slack/root -C /dev/sda3 -L -K /root/slackpv.keyfile -l gb
/etc/default/grub
Code:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx:slackpv0 root=/dev/slack/root cryptkey=rootfs:/root/slackpv.keyfile resume=/dev/slack/swap"
GRUB_ENABLE_CRYPTODISK=y
Code:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
grub-mkconfig -o /boot/grub/grub.cfg
It acutally works but I still have to enter the passphrase twice.

I guess mkinitrd -K works just with vfat as a filesystem?

I know It makes no sense to install lvm on luks without passphrase on the root-filesystem, but I just would like to know how it works.


thanks

Last edited by lancsuk; 04-02-2021 at 03:50 PM.
 
Old 04-01-2021, 10:53 PM   #2
DaBrze
LQ Newbie
 
Registered: Mar 2018
Location: Lodz, PL
Distribution: Slackware
Posts: 14

Rep: Reputation: Disabled
I had the same problem some time ago. In short: you have to patch init file in the mkinitrd, and then put the crypto_kyefile.bin in the init ramdisk. I did it in this way:

# mkdir /tmp/initrd-tree
# tar xpzf /usr/share/mkinitrd/initrd-tree.tar.gz -C /tmp/initrd-tree
# cd /tmp/initrd-tree
# patch init < key_file_in_the_initrd_and_drive_unlocked_by_grub.diff
# mv /crypto_keyfile.bin ./
# tar cpzf /usr/share/mkinitrd/initrd-tree.tar.gz *

Create the initial ramdisk environment as you have done before (mkinitrd ...).

Modify in the /etc/default/grub the line accordingly:

GRUB_CMDLINE_LINUX="... cryptkey=/crypto_kyefile.bin ..."
GRUB_ENABLE_CRYPTODISK=y

Then you will have enter the passphrase once, just before grub menu, and then during the boot the crypto_kyefile.bin from initram disk will be used to unlock the whole disk .


Look here for patch: https://www.linuxquestions.org/quest...ml#post6235351

There is also another very usefull tutorial here https://unixsheikh.com/tutorials/rea...-and-uefi.html
 
1 members found this post helpful.
Old 04-02-2021, 02:43 PM   #3
lancsuk
Member
 
Registered: Jul 2019
Location: Burnley / UK
Distribution: Slackware current
Posts: 81

Original Poster
Rep: Reputation: 42
Thumbs up

Quote:
Originally Posted by DaBrze View Post
I had the same problem some time ago. In short: you have to patch init file in the mkinitrd, and then put the crypto_kyefile.bin in the init ramdisk. I did it in this way:

# mkdir /tmp/initrd-tree
# tar xpzf /usr/share/mkinitrd/initrd-tree.tar.gz -C /tmp/initrd-tree
# cd /tmp/initrd-tree
# patch init < key_file_in_the_initrd_and_drive_unlocked_by_grub.diff
# mv /crypto_keyfile.bin ./
# tar cpzf /usr/share/mkinitrd/initrd-tree.tar.gz *

Create the initial ramdisk environment as you have done before (mkinitrd ...).

Modify in the /etc/default/grub the line accordingly:

GRUB_CMDLINE_LINUX="... cryptkey=/crypto_kyefile.bin ..."
GRUB_ENABLE_CRYPTODISK=y

Then you will have enter the passphrase once, just before grub menu, and then during the boot the crypto_kyefile.bin from initram disk will be used to unlock the whole disk .


Look here for patch: https://www.linuxquestions.org/quest...ml#post6235351

There is also another very usefull tutorial here https://unixsheikh.com/tutorials/rea...-and-uefi.html
...brilliant, I will check it out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Full Disk Encryption Luks with USB keyfile and fallback to passphrase Nikosis Debian 1 09-14-2020 09:02 AM
[SOLVED] Small / partition on OpenSUSE Tumbleweed with LVM+LUKS full disk encryption HowOriginal Linux - General 9 06-10-2018 06:32 AM
How to have luks encryption with keyfile OR passphrase (efi full disk encryption including boot)? byroncollege Linux - Security 2 03-30-2017 07:45 AM
Mint 18 Full disk encryption VS Veracrypt Full Disk encryption: Help a Noob Decide Please ! APeacefulRig Linux - Security 2 11-11-2016 08:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration