I wanted to explore disk encryption on Linux for a long time now so I decided to give it a try and, after getting some knowledge on the topic, I decided that I wanted to achieve full disk encryption with LVM volumes on top of LUKS so in case the computer is lost not even the partitions layout would be exposed to potential threats.
Since the whole disk will contain encrypted data that the BIOS cannot understand, having a separate device is a requirement for this setup: we need a primary active partition to be available for the BIOS to delegate the boot process to the boot loader.
- Deniable encryption because the hard drive will only contain unidentifiable encrypted data.
- A form of two-factor authentication because the LUKS header will be stored on the external device.
- Flexible partitions manipulation with LVM.
- LUKS advantages such as multiple passphrases and key derivation.
Additional security can be attained by instead storing the encrypted master key in a keyfile on e.g. a USB stick. This provides two-factor authentication: Accessing the encrypted data now requires something only you know (the passphrase), and additionally something only you have (the keyfile).
+--------------------+------------------+--------------------+ +--------------------------+
| Volume 1: swap | Volume 2: root | Volume 3: home | | Boot device |
| swap | / | /home | | /boot |
| /dev/lmde/swap | /dev/lmde/root | /dev/lmde/home | | /dev/sdb1 |
|--------------------+------------------+--------------------| |--------------------------|
| LVM: lmde volume group | | Primary Active partition |
|------------------------------------------------------------| |--------------------------|
| LUKS formatted hard drive | | USB stick |
+------------------------------------------------------------+ +--------------------------+
Since the purpose of this setup is to be a mainly a desktop computer, I decided to use Linux Mint Debian Edition: LMDE 2 "Betsy" - Cinnamon (64-bit) at the time of writing.
All of these procedures can be easily tested inside a of virtual machine, and once comfortable, with the setup, the same steps can be reproduced on a real system.
So I started by creating a new Debian (64-bit) based Linux virtual machine in VirtualBox and after completing the wizard, went to storage settings to attach an additional 2 GB hard drive that will be responsible of holding the /boot partition.
Settings > Storage > Controller SATA > Add new hard disk > 2 GB hard disk
- LMDE 2 "Betsy" - Cinnamon (64-bit Debian based Linux virtual machine)
- 2048 MB RAM
- 20 GB hard disk (encrypted disk).
- 2 GB hard disk (boot disk).
After booting into the LiveCD system, open up a terminal, become root and inspect the disks.
sudo su -
gdisk -l /dev/sda
gdisk -l /dev/sdbparted -s /dev/sdb mklabel gpt
parted -s /dev/sdb mkpart primary 2048s 100%
parted -s /dev/sdb set 1 boot ontruncate -s 2M header.img
cryptsetup luksFormat /dev/sda --header ~/header.img
cryptsetup open --header ~/header.img --type luks /dev/sda cryptodisk
cryptsetup luksDump ~/header.imgYou can overwrite any previously stored information on the device with random data.
dd if=/dev/zero of=/dev/mapper/cryptodisk bs=1M status=progresspvcreate /dev/mapper/cryptodisk
vgcreate lmde /dev/mapper/cryptodisk
lvcreate -L 2G -n swap lmde
lvcreate -L 10G -n root lmde
lvcreate -l +100%FREE -n home lmdemkfs.vfat -n EFI /dev/sdb1
mkswap -L swap /dev/mapper/lmde-swap
mkfs.btrfs -L root /dev/mapper/lmde-root
mkfs.btrfs -L home /dev/mapper/lmde-homeInstall LMDE2 Select advanced mode because we're doing manual partitioning. Do not opt in for installing GRUB 2 boot loader because we'll have to do that later anyways.
mkdir /target
mount /dev/mapper/lmde-root /target
mkdir -p /target/{boot/efi,home}
mount /dev/sdb1 /target/boot/efi
mount /dev/mapper/lmde-home /target/homemount -o bind /proc /target/proc
mount -o bind /dev /target/dev
mount -o bind /sys /target/sys
# mount -t proc proc /target/proc
# mount --rbind /sys /target/sys
# mount --rbind /dev /target/dev
chroot /targetcp /target/etc/crypttab{,.original}
cat > /target/etc/crypttab << "EOF"
# <target name> <source device> <key file> <options>
cryptodisk /dev/sdb none luks
EOFcp /target/etc/fstab{,.original}
cat > /target/etc/fstab << "EOF"
/dev/sda1 /boot/efi vfat defaults,noauto 0 2
/dev/mapper/lmde-swap swap swap sw 0 0
/dev/mapper/lmde-root / btrfs defaults,errors=remount-ro 0 1
/dev/mapper/lmde-home /home xfs defaults 0 2
proc /proc proc defaults 0 0
EOFcp /target/etc/default/grub{,.original}
cat > /target/etc/default/grub << "EOF"
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
# info -f grub -n 'Simple configuration'
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX=""
GRUB_ENABLE_CRYPTODISK=y
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
EOFchroot /target
update-initramfs -k all -c
update-grub
grub-install /dev/sda
exit
# Finish installation
# Reboot
# Done- Cryptsetup and LUKS - open-source disk encryption
- Full disk encryption with LUKS (including /boot)
- Linux Mint encryption
- How to full encrypt your Linux system with LVM on LUKS
- Disk encryption and dm-crypt sections on ArchWiki
https://askubuntu.com/questions/918021/encrypted-custom-install https://vitobotta.com/2018/01/11/ubuntu-full-disk-encryption-manual-partitioning-uefi/ https://www.gnu.org/software/grub/manual/grub/grub.html#Device-syntax http://grub.johnlane.ie/grubby-usb.html https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
The LUKS header contains a 256 bit "salt" per key-slot and without that no decryption is possible. While the salts are not secret, they are key-grade material and cannot be reconstructed. This is a cryptographically strong "cannot". From observations on the cryptsetup mailing-list, people typically go though the usual stages of grief (Denial, Anger, Bargaining, Depression, Acceptance) when this happens to them. Observed times vary between 1 day and 2 weeks to complete the cycle. Seeking help on the mailing-list is fine. Even if we usually cannot help with getting back your data, most people found the feedback comforting.
Source: Cryptsetup FAQ > Security aspects
Actual actual reality: nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)
Source: https://xkcd.com/538/