View previous topic :: View next topic |
Author |
Message |
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Fri Jul 20, 2018 4:03 pm Post subject: Encrypted install |
|
|
Hello, i have question. I would like to test to encrypte gentoo installation, but i have questions. How is it possible to encrypte my all system with just one Password ? (I have 2 internal disks, hdd and ssd, and i need efi partition and tmpfs partitions) and how i configure GRUB ? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jul 20, 2018 6:11 pm Post subject: Re: Encrypted install |
|
|
Fulgurance wrote: | Hello, i have question. I would like to test to encrypte gentoo installation, but i have questions. How is it possible to encrypte my all system with just one Password ? (I have 2 internal disks, hdd and ssd, and i need efi partition and tmpfs partitions) and how i configure GRUB ? |
Fulgurance ... the ESP (EFI System Partition) can't be encrypted, and so you could use this to host your kernel and initramfs (required for encrypted root). As for two disks one password, the first disk is unlocked with the passphrase, and the second is unlocked with a key read from the first disk (at the initramfs stage). This requires you modify your initframfs to do this ...
best ... khay |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Fri Jul 20, 2018 7:05 pm Post subject: |
|
|
For the second disk with read key, have you got example please ? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jul 20, 2018 8:10 pm Post subject: |
|
|
Fulgurance wrote: | For the second disk with read key, have you got example please ? |
Fulgurance ... I don't, no, but it would simply be a case of having the 'init' within the initramfs call cryptsetup with the path to the key once the first disk is unlocked. I'm sure there are examples of this on the forum ... at least I seem to remember threads with this as the subject.
best ... khay |
|
Back to top |
|
|
johngalt Apprentice
Joined: 09 Sep 2004 Posts: 258 Location: 3rd Rock
|
Posted: Fri Jul 20, 2018 9:38 pm Post subject: |
|
|
Sakaki's EFI install makes use of an external key (with a fallback) that would be very similar to this, right? _________________
desultory wrote: | If you want to retain credibility as a functional adult; when you are told that you are acting boorishly, the correct response is to consider that possibility and act accordingly to correct that behavior. |
Amen. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Fri Jul 20, 2018 10:59 pm Post subject: |
|
|
johngalt wrote: | Sakaki's EFI install makes use of an external key (with a fallback) that would be very similar to this, right? |
johngalt ... without looking I couldn't say, but the the use of a keyfile is staightforward, all you need do is modify the 'init' within whatever initramfs you use so that 'cryptsetup luksOpen' is run ... or, alternately, have it unlocked as part of /etc/init.d/dmcrypt (see: /etc/conf.d/dmcrypt).
HTH & best ... khay |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Sun Jul 22, 2018 8:31 pm Post subject: |
|
|
I have problème, i have finish to make all encrypted luks partition, and i have installed gentoo base, but when i launch grub-install command, GRUB fail and ask me group home and root dont exist. Its strange because i dont use LVM.
For information, i have 3 partitions, efi partitions, home mapper and root mapper |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
|
Back to top |
|
|
ayeyes Tux's lil' helper
Joined: 03 Dec 2017 Posts: 104
|
Posted: Mon Jul 23, 2018 12:55 am Post subject: |
|
|
Bliss-Initramfs makes doing an encrypted with boot install easy. Look at his guide for encrypted ZFS on how to add a keyfile. Dunno if it works for an EFI install though. |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Mon Jul 23, 2018 11:09 am Post subject: |
|
|
I haven't solved my problem, look this log of grub:
Code: | grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Zohran
Installation pour la plate-forme x86_64-efi.
File descriptor 3 (/dev/nvme0n1p1) leaked on vgs invocation. Parent PID 21250: grub-install
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Volume group "root" not found
Cannot process volume group root
File descriptor 3 (/dev/nvme0n1p1) leaked on vgs invocation. Parent PID 21250: grub-install
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Volume group "root" not found
Cannot process volume group root
grub-install��: erreur��: disque ����lvm/root���� non disponible. |
Grub search lvm volume but i don't use LVM ... why ??? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Mon Jul 23, 2018 12:30 pm Post subject: |
|
|
Fulgurance wrote: | Grub search lvm volume but i don't use LVM ... why ??? |
Fulgurance ... I'm not a grub user, but perhaps you have the 'device-mapper' useflag set:
Code: | % equery -NC uses =sys-boot/grub-2.02-r1 | grep lvm2
- - device-mapper : Enable support for device-mapper from sys-fs/lvm2 |
It seems that sys-fs/lvm2 is a dependency regardless:
Code: | % equery -NC depgraph =sys-boot/grub-2.02-r1 | grep lvm2
`-- sys-fs/lvm2-2.02.103 (>=sys-fs/lvm2-2.02.45) x86 |
best ... khay |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Mon Jul 23, 2018 1:01 pm Post subject: |
|
|
Thanks for your help. But no, sorry, this use flag isn’t enabled |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Mon Jul 23, 2018 3:37 pm Post subject: |
|
|
Fulgurance wrote: | Thanks for your help. But no, sorry, this use flag isn’t enabled :cry: |
Fulgurance ... it wouldn't matter, because as I showed sys-fs/lvm2 is a hard dependency ... so you get it whether you're using lvm or not.
Again, I'm not a grub user, and looking at the grub-install manpage, and the gentoo wiki, I don't see what you might be doing wrong, or an obvious solution.
Can you post the output of 'lsblk -o +fstype,label'
best ... khay |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Mon Jul 23, 2018 4:04 pm Post subject: |
|
|
I have emerged GRUB with this use flag, and its good, GRUB make boot entry !
But now, when i boot, i enter partition password, when i start linux on GRUB startscreen, i have kernel panic...
I thing i forget configure something... |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Mon Jul 23, 2018 6:44 pm Post subject: |
|
|
Fulgurance wrote: | But now, when i boot, i enter partition password, when i start linux on GRUB startscreen, i have kernel panic... |
Fulgurance ... again, I have no experience with grub2, but that seems like the wrong order: boot => grub2 => kernel/initramfs => cryptsetup luksOpen => password => init.
best ... khay |
|
Back to top |
|
|
abduct Apprentice
Joined: 19 Mar 2015 Posts: 215
|
Posted: Mon Jul 23, 2018 9:59 pm Post subject: |
|
|
I suggest starting over and following https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified
It sounds like you have made some bad assumptions which is hampering your install. A FDE setup is not this complicated.
I also suggest increasing the partition sizes of /, 25GB is kind of small.
I also suggest using:
Code: | Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha512
|
|
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Tue Jul 24, 2018 10:42 am Post subject: |
|
|
khayyam wrote: | Fulgurance ... again, I have no experience with grub2, but that seems like the wrong order: boot => grub2 => kernel/initramfs => cryptsetup luksOpen => password => init.
best ... khay |
Sorry, but enter password before grub is mandatory. Impossible to change that... i think i have problem with my configuration, but where ? I don't understand ...
I use your recommended crypt settings, and my root partition have 125Go xD
Would you like i post my configurations files ? |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Tue Jul 24, 2018 1:46 pm Post subject: |
|
|
khayyam wrote: | [...] again, I have no experience with grub2, but that seems like the wrong order: boot => grub2 => kernel/initramfs => cryptsetup luksOpen => password => init. |
Fulgurance wrote: | Sorry, but enter password before grub is mandatory. Impossible to change that... i think i have problem with my configuration, but where ? I don't understand ... |
Fulgurance ... huh? So you're expecting grub to luksOpen the encypted root?
best ... khay |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1200
|
Posted: Tue Jul 24, 2018 2:33 pm Post subject: |
|
|
Its good thanks ! I have just Forget to build initrams with luks support |
|
Back to top |
|
|
|