Cnchi icon indicating copy to clipboard operation
Cnchi copied to clipboard

Published 20 hours ago verified publisher icon Antergos

Question: Full Disk Encryption

Open nyancat18 opened this issue 7 years ago • 10 comments

Does Cnchi supports full disk encryption?..

FDE: Encrypt system (/), user (/home/*) (swap) and /boot + encrypted grub

nyancat18 avatar Dec 01 '16 00:12 nyancat18

Each time I did installation:

  1. / encrypted
  2. /boot on external USB device I was getting error after installation: OS does not exists

I was able to do that on any Ubuntu'ish OSes.

rancherr avatar Dec 03 '16 21:12 rancherr

@triceratops1 Yes and no. If you do it in advanced mode, you can tell cnchi which partitions you want to encrypt. If you do it in automatic mode, it will encrypt / and /home

@rancherr I'm sure we never tried that... Will check it out asap and get back to you.

karasu avatar Dec 13 '16 06:12 karasu

This would be really amazing. I would like to use the Antergos installer more often, but this limitation of the installer makes me install Arch manually from the cli with it. Does Cnchi allow me to mount my own partition setup? That would be even better. lol Only /etc/default/grub and /etc/mkinitcpio.conf need to be modified to encrypt /boot, and a crypto_keyfile.bin should be made for the encrypt hook so it doesn't ask for the password again.

eturner avatar Feb 06 '17 19:02 eturner

Does Cnchi allow me to mount my own partition setup?

Yes, go to advanced partition mode and there you can select which partitions you want to use (as /boot, /, ....)

Only /etc/default/grub and /etc/mkinitcpio.conf need to be modified to encrypt /boot, and a crypto_keyfile.bin should be made for the encrypt hook so it doesn't ask for the password again.

Have you tried to encrypt your /boot in advanced partition mode?

karasu avatar Feb 07 '17 07:02 karasu

no :(

nyancat18 avatar Feb 08 '17 00:02 nyancat18

No, it doesn't work with the encrypted lvm setup I do. I always keep /boot on the root partition in a btrfs subvolume so I can do snapshots, but the installer requires a /boot partition and a separate one doesn't work either. If there were a way to just skip the partition creation in the installer by mounting them somewhere manually, that would be ideal for me. I could finish the setup manually as I already do. But having an encrypted /boot by itself doesn't seem too demanding, development wise.

Add the crypt hook and the optional /crypto_keyfile.bin to the FILES array in mkinitcpio.conf. Add "cryptdevice=UUID=$luks_volume_uuid" and "cryptkey=/crypto_keyfile.bin" to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub

Then make the crypto_keyfile.bin, and add it to the luks volume with dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin

'cryptodisk luks' should be added to preload modules in default/grub, but for myself it has worked without it.

I've never looked intensely at the Cnchi code, and I'm not much of a developer at all, but maybe I'll have a look. lol

virtualbox_linux_09_02_2017_14_14_03

eturner avatar Feb 09 '17 19:02 eturner

@karasu have you tried yet? My company requires me to use full encryption and boot device on external USB so it would be really nice to have this option . I am willing to test if needed

rancherr avatar Oct 10 '17 11:10 rancherr

@rancherr I'm afraid other matters got my attention... and this was forgotten. Do you need your usb /boot also to be encrypted?

karasu avatar Oct 10 '17 14:10 karasu

I am planning on trying Antegros (and recommending it to friends who want to use Arch), and full encryption is a must. My setup is almost the same as @eturner. Namely, an EFI partition with GRUB and an encrypted partition formatted btrfs with /boot as a folder in the / subvolume. I don't bother with swap disk, but would use an encrypted swap if provided. I don't use LVM, but could. Support for putting the EFI partition on USB is a plus. I think users who want to boot from USB only need grub on the USB.

I'm fine with a manual setup, if the installer can deal with /boot not being a partition.

I may be mistaken, but I think what eturner left out is that the GRUB package gets confused too and needs:

echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
grub-install  --target=x86_64-efi --efi-directory /boot/efi --bootloader=arch --boot-directory=/boot/efi/EFI/arch
grub-mkconfig -o /boot/efi/EFI/arch/grub/grub.cfg

Otherwise, grub itself knows how to add the cryptodisk module and set the paths.

almson avatar Oct 20 '17 16:10 almson

I think that should be supported. I did a test install of Manjaro Linux some time ago, they use https://calamares.io/ as a installer, its a universal Linux installer not specific to any distro.

Given he fact that they say:

Calamares does not aim to be the ultimate “standard” installer of the Linux desktop. Many distributions already have more mature system installer solutions, but some don’t, and that’s where Calamares can be of use.

I was surprised to see that it supports a very modern way of full disk encryption where boot is also encrypted I think. I am used to a unencrypted boot. Ubuntu installer does it this way for example.

You may just want to use Manjaro for now which is basically Arch without the rolling release model for the core stack if I got that right. There may also be some code in Calamares for Cnchi to copy.

nextgenthemes avatar Oct 29 '17 22:10 nextgenthemes