FullDiskEncryption
Jump to navigation
Jump to search
Abstract: This page should help you setting up a "fully" encrypted disk, for example for a laptop. Every time you power it on, it asks for the boot password.
I assume the machine that have to be installed with FDE gets assigned "ENCRYPTED" class.
First, add file class/ENCRYPTED.var :
FAI_KEEP_CRYPTKEYFILE=1 LUKS_PASS="YourBootPassword"
then define partitioning (here an EFI + LVM example) in disk_config/ENCRYPTED :
disk_config disk1 disklabel:gpt bootable:1 fstabkey:uuid align-at:1M preserve_reinstall:2 p=efi /boot/efi 512M vfat rw,noatime,errors=remount-ro p= - 1G- - - disk_config cryptsetup luks - disk1.2 - - lukscreateopts="--type=luks2" disk_config lvm fstabkey:uuid preserve_reinstall:vgenc-bck,vgenc-home vg vgenc disk1.2 vgenc-bck - 120M-128M ext4 noauto createopts="-L KEEPME" vgenc-root / 12G-16G ext4 rw,noatime,errors=remount-ro vgenc-sw - 2G-4G swap - vgenc-var /var 8G-16G ext4 rw,noatime,errors=remount-ro vgenc-home /home 2G- ext4 rw,noatime,errors=remount-ro
and finally hooks/configure.ENCRYPTED :
#!/bin/sh
# Requires ENCRYPTED.var for setup
srctab="${LOGDIR}/crypttab"
tmptab="${LOGDIR}/crypttab.tmp"
mkdir /target/etc/keys
chmod 0700 /target/etc/keys
echo > $tmptab
while read name dev keyfile x; do
yes "${LUKS_PASS}" | cryptsetup luksAddKey --key-slot=9 --pbkdf=pbkdf2 --key-file ${keyfile} ${dev}
newkeyfile="$(echo $keyfile | sed "s:${LOGDIR}:/etc/keys:")"
mv ${keyfile} /target/${newkeyfile}
chmod 0600 /target/${newkeyfile}
echo "${name} ${dev} ${newkeyfile} $x" >> $tmptab
done < $srctab
mv $tmptab $srctab
cp $srctab /target/etc/crypttab
echo "KEYFILE_PATTERN=/etc/keys/*" >> /target/etc/cryptsetup-initramfs/conf-hook
echo "UMASK=0077" > /target/etc/initramfs-tools/conf.d/restrictperms.conf
$ROOTCMD update-initramfs -u
TODO: preserving encrypted partitions is yet untested and MIGHT NOT WORK!