LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-06-2019, 01:16 PM   #1
Nille_kungen
Member
 
Registered: Jul 2005
Posts: 472

Rep: Reputation: 151Reputation: 151
Question Encrypted install of current tips do and don't


I'm getting a new laptop in a few days and this time around i was thinking of an encrypted install.
Slackware has documents regarding crypto install and the installation is not what i made this thread about but rather tips and what to do and not to do.
What's a recommended install and the security of different options.
Someone that has been using encrypted installations that can give me some tips and what i should consider during this planning stage.
I can guess that there's some things that is better to do than other things and more practical to use.
I was thinking of encrypting everything but maybe that's not the best thing to do.
The laptop will be an Ryzen 2500U based laptop with an SSD hard drive if it matters, maybe an encrypted install works better with more memory and there's an minimum recommended amount.
I never made an encrypted install before but since a laptop can be stolen i wanted to do an encrypted install but i also want to do it right so i don't regret anything latter.
Is there anything about charset that i need to consider like using LANG=sv_SE.UTF-8 in /etc/profile.d/lang.sh

Last edited by Nille_kungen; 02-06-2019 at 01:19 PM.
 
Old 02-06-2019, 06:00 PM   #2
drumz
Member
 
Registered: Apr 2005
Location: Scottsdale, AZ, USA
Distribution: Slackware
Posts: 212

Rep: Reputation: 59
I followed the "Combining LUKS and LVM" section in README_CRYPT.TXT to have a totally encrypted system including swap.

One thing I would change is make a bigger /boot partition (which is the only unencrypted partition). The reason is I normally like to store the initrd source trees on boot, because, well, that seems sensible to me. However, I chose too small of a /boot for my laptop so they go in /usr/src/ instead. 500 MB should be more than enough for boot. If you don't want to store multiple initrd source trees on /boot, then 100 MB is plenty.

This is my /boot/prepare_boot_files.sh to create my initrd on my work PC (note how the initrd source tree is in /boot). My laptop is the same except initrd source is in /usr/src/.
Code:
#!/bin/sh
# prepare_boot_files.sh
#
# Integrate Intel microcode into initrd and run eliloconfig

# First run /usr/share/mkinitrd/mkinitrd_command_generator.sh and create an
# initrd. Also ensure /boot/vmlinuz points to the desired kernel.
KVER=4.19.19-etr
/usr/share/mkinitrd/mkinitrd_command_generator.sh -k $KVER -a "-F -s /boot/initrd-tree-$KVER -o /boot/initrd-$KVER.gz"

# No longer needed:
#cat /boot/intel-ucode.cpio /boot/initrd.orig.gz > /boot/initrd.gz
#eliloconfig

# Copy bzImage/vmlinuz and initrd to efi directory and update elilo.conf

# Copy vmlinuz and initrd.gz to USB boot disk
Note that I do NOT run eliloconfig; rather, the bzImage file and initrd contain the version number in them. I manually edit elilo.conf to point to those. I also use 8.3 naming convention on my EFI partition, so for example bzImage-4.19.19-etr.img becomes bz41919e.img and initrd-4.19.19-etr.gz becomes rd41919e.gz.

Also I don't have a separate /home. My only partitions are EFI, /boot, and /.

I've had no problems with my setup. I suggest going for it! I can't comment on the LANG setting. Mine is en_US.UTF-8.
 
Old 02-06-2019, 07:17 PM   #3
GazL
Senior Member
 
Registered: May 2008
Posts: 4,881
Blog Entries: 14

Rep: Reputation: 2438Reputation: 2438Reputation: 2438Reputation: 2438Reputation: 2438Reputation: 2438Reputation: 2438Reputation: 2438Reputation: 2438Reputation: 2438Reputation: 2438
Note that if you're booting with EFI then you don't need an unencrypted /boot partition because it'll have the unencrypted EFI partition to store vmlinuz and the initrd files in. /boot can remain in the encrypted rootfs on EFI systems.

MBR/lilo booting will still require the /boot partition, as before.
 
Old 02-06-2019, 07:26 PM   #4
drumz
Member
 
Registered: Apr 2005
Location: Scottsdale, AZ, USA
Distribution: Slackware
Posts: 212

Rep: Reputation: 59
Quote:
Originally Posted by GazL View Post
Note that if you're booting with EFI then you don't need an unencrypted /boot partition because it'll have the unencrypted EFI partition to store vmlinuz and the initrd files in. /boot can remain in the encrypted rootfs on EFI systems.

MBR/lilo booting will still require the /boot partition, as before.
Ah yes, I knew I was forgetting something... I typed up my answer at work, and my work computer uses an EFI partition. My personal laptop, however (which is the subject of my post), uses lilo.

Thanks for pointing that out!
 
Old 02-06-2019, 08:11 PM   #5
deNiro
Member
 
Registered: Jun 2003
Location: Belgium
Distribution: Slackware-current
Posts: 118

Rep: Reputation: Disabled
Quote:
Originally Posted by Nille_kungen View Post
I'm getting a new laptop in a few days and this time around i was thinking of an encrypted install.
Slackware has documents regarding crypto install and the installation is not what i made this thread about but rather tips and what to do and not to do.
What's a recommended install and the security of different options.
Someone that has been using encrypted installations that can give me some tips and what i should consider during this planning stage.
I can guess that there's some things that is better to do than other things and more practical to use.
I was thinking of encrypting everything but maybe that's not the best thing to do.
The laptop will be an Ryzen 2500U based laptop with an SSD hard drive if it matters, maybe an encrypted install works better with more memory and there's an minimum recommended amount.
I never made an encrypted install before but since a laptop can be stolen i wanted to do an encrypted install but i also want to do it right so i don't regret anything latter.
Is there anything about charset that i need to consider like using LANG=sv_SE.UTF-8 in /etc/profile.d/lang.sh
First of all you have to ask yourself what kind of protection you need ( by encrypting that data). If you want to protect yourself from the nsa or the mossad or if you are a high value target, you might wanna consider full disk encryption, or even use a different OS :P . If it is just for theft or loss of the laptop, I would go for encrypted /home and perhaps encrypted swap, since that is protection enough against loss or theft. Encrypting only your /home, is also more convenient for later operations like backup, or installing/compiling a new kernel. Personally I only encrypt my /home.

Now for the technical part. Since you have an SSD, you probably want to allow discard on that encrypted partition (although again, theoretically, this tampers with security), to allow fstrim to run on that encrypted volume.

To allow this you should put the discard option in your "/etc/crypttab" like this (where crypthome is just how I name my encrypted home container):

"crypthome /dev/sda2 none luks,discard"


Edit: The above line only enables trimming, so you still have to either trim manually or with a script, or use real-time trimming with the discard option in /etc/fstab)

Last edited by deNiro; 02-06-2019 at 08:39 PM.
 
Old 02-07-2019, 12:18 AM   #6
phalange
Member
 
Registered: May 2018
Distribution: Slackware, Centos, Alpine, Arch
Posts: 120

Rep: Reputation: Disabled
Quote:
Originally Posted by Nille_kungen View Post
I'm getting a new laptop in a few days and this time around i was thinking of an encrypted install.
I made several entries in my blog about encrypted boot, meant to be a supplement to slackdocs. You may find some of this useful:

https://andrewpayne.gitlab.io/somethingslinux/
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Can I have an encrypted HD and a non-encrypted HD in the same computer? grumpyskeptic Linux Mint 1 02-15-2017 06:21 PM
LXer: Two Tips to Keep Your Phone's Encrypted Messages Encrypted LXer Syndicated Linux News 0 05-03-2016 12:21 AM
Shrink partition (LVM encrypted PVs + encrypted LVs) gedaj Linux - Newbie 2 05-22-2013 04:44 AM
Resizable encrypted LVM requiring just one password on boot (encrypted volume group)? Nyyr Linux - Software 9 01-24-2013 06:52 AM
Need tips on using Ethernet to power WiFi network, and tips on setting up WiFi crabpot8 Linux - Networking 2 08-24-2009 07:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration