Disk encryption in linux installation
Disk encryption in linux prevents a disk drive, like a hard drive or a portable USB storage device or laptop, from booting up unless the user inputs the correct authentication data. And here I'm going to talk about my preferred method of disk encryption while installing linux and see how it works?
The booting up process for an operating system involves the first section of the disk — the master boot record — informing the system of where to read the first file, which initiates the loading of the operating system. Without encryption, no special instructions are required to interpret the contents of the disk. By default, files are written in plain text.
When you use disk encryption, this process is modified. The contents of the disk (except for the master boot record) are encrypted using a modern symmetric cipher accessible via a secret key. The master boot record is modified so that it loads this system, which validates the authentication data from the user. If the authentication process is successful, the encryption key is unlocked.
This system, which varies between different implementations, stores the master key for the device. Authentication information might be a password, a public key-based token, or a fingerprint scan. Once the valid authentication data is read, the master key is decrypted. The master key then remains in the computer’s memory while it’s powered-on. This allows the operating system to first read the disk to boot up, as well as read any other disk contents the user requests while using the computer.
Who Uses Disk Encryption
The main motive of encryption is to keep your data and personal information safe from others. So If anyone other than you has any access to your computer, then in should be encrypted. Also, I highly recommend encrypting the portable devices like laptops and raspberry-pi that has a chance of getting lost, stolen or access by others.
My preferred method of disk encryption
So I do have a sigle hard drive in my computer so, I use LVM on LUKS encrypting all the filesystem and partitions excluding /boot partiton of grub bootloader. If you have multiple hard drives you may want to setup RAID I guess. Checkout arch wiki for more details about encryption types.
How to Set-up LVM on LUKS
Okay Let's directly talk about how we can setup my preferred encryption type for single storage device computers.
Partition your storage into two using GPT; First one is the boot partition of about 500MB and remaining the second.
Let's say /dev/sda2 is the second partition, then setup LUKS in /dev/sda2.
cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda1 cryptlvm
It can be mapped to any name in place of
The decrypted container is now available at /dev/mapper/cryptlvm
Prepare the logical volumes a. Create a physical volume on top of the opened LUKS container:
b. Create a volume group (in this example named
groot, but it can be whatever you want) and add the previously created physical volume to it:
vgcreate groot /dev/mapper/cryptlvm
c. Create all your logical volumes for root, home, swap and others as per your requirements on the volume group:
lvcreate -L 8G groot -n swap
lvcreate -L 100G groot -n root
lvcreate -l 100%FREE groot -n home
Format your file systems
mkfs.fat -F 32 /dev/sda1(for your bootloader(boot partition))
Mount your filesystems:
mount /dev/groot/root /mnt
mount --mkdir /dev/groot/home /mnt/home
mount --mkdir /dev/sdb1 /mnt/boot
Now install the OS as you do normally and chroot into the newly installed system.
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck shutdown)
Configuring the boot loader
a. Get the UUID of /dev/sda2 (your LUKS partition) using blkid command.
The Output should seem like following:
/dev/sda2: UUID="27da5fec-b1f2-4b54-b2af-a2832d2c4522" TYPE="crypto_LUKS" PARTUUID="eeef0000-db63-5749-90d4-55c978558643"
b. Set the kernel parameter in boot loader (grub) in /etc/default/grub
It should seem like following:
Regenerate the initramfs
Regenerate grub config
grub-mkconfig -o /boot/grub/grub.cfg