Fedora 21 (or 22) Full Disk Encryption (including /boot!) How-To.
Note: This is not for the inexperienced! This is a very quick and dirty hack. If you don't know/understand how to use grub's rescue mode (the dreaded
grub> prompt when things go bad) you will want to steer clear of this how-to.
- A USB Flash drive (at least 500 MB)
- A computer to install Fedora on
- Install media (I leave this up to you, but I use iPXE, a modified version of robinsmidsrod's setup)
Unfortunately the Fedora installer steadfast refuses to let you format and create a brand new install with
/boot on different media than what
/ is on. So you're going to have to drop to the rescue shell in the installer with
Assuming your system's primary hard drive (SATA, SAS, whatevs) is
/dev/sda, and your USB flash drive is
Make your whole-disk partition on /dev/sda:
- Create a (n)ew partition:
- Partition #1:
- Starting Sector whatever (default):
- Ending Sector whatever (default):
- Change the partition type to e8 (Linux Luks):
- Write the changes:
Format the whole disk partition with Luks
cryptsetup luksFormat /dev/sda1You'll type "YES" in all caps and then your password.
cryptsetup luksOpen /dev/sda1 crypted
vgcreate vg_encrypted /dev/mapper/crypted
Create some basic partitions to be used by the installer later
lvcreate -n root -L 20G vg_encrypted
lvcreate -n swap -L 32G vg_encrypted
fdisk /dev/sdb- new, primary, 1st partition, default start, +500M end,
wto write and quit.
cryptsetup luksClose /dev/sda1
If you did the above prep work from the installer, you may need to have it "re-scan" the disks during disk selection, or possibly reboot.
To re-scan: There's a little backwards-curve arrow (e.g. an "undo" button) that will have the installer go look at the disks again. This will cause it to discover that there's a Luks encrypted partition, and an already existing partition on the flash drive.
In the disk selection screen, select both the hard drive and USB flash drive for install targets. Select that you want to specify partitioning. It doesn't seem to matter if you select 'encrypt my data', because we'll be installing into an existing Luks container, and formatting volumes inside it.
Click 'Unknown' in the disk list, you should see
Encrypted (LUKS) on the left, and a
Passphrase: password box on the right. Enter the password you used to format the Luks container earlier.
You now should see the two LVM volumes we created earlier with
lvcreate. Check the 'Reformat' checkbox on everything, set the Filesystem to ext4 for the
/ (root) LVM volume, do the same for the swap volume (make that one format as swap though), and then format
/dev/sdb1 (the flash drive) as
Click done, and proceed through the install and reboot. Leave the USB flash drive plugged in. You may have to hit the
<Esc> (escape) key during boot to see Fedora's unlock-encrypted-disk password prompt.
At this point the hard drive is encrypted, but the kernel and initial ram disk (in /boot) are not. Lets fix that:
Fixing the install
Now you've got a system installed that (oddly enough) put GRUB on /dev/sda (the internal HDD, not the USB flash drive), and depends on the files on the USB flash drive. I suppose the installer is smart enough to realize /dev/sda is "bios disk 0", the primary boot device. Anyway.
Move the contents of /boot to the encrypted root file system
Log in, click through the silly "Welcome to Fedora" and "How do I Computer?" Gnome-3 introduction, then Open a terminal, and become root (
sudo su -).
mount /dev/sdb1 /bootold
mv /bootold/* /boot
Now edit /etc/fstab, and remove the line that mounts /boot. That'll only get in the way of us booting off the internal HDD later.
Add the following line to
- Rebuild the initial ramdisk with:
dracut -f(why you ask? Because the initrd has references to the USB flash drive)
- Rebuild the grub configuration with:
grub2-mkconfig -o /boot/grub2/grub.cfg
- Re-install grub to the boot sector with
Remove the USB flash drive, and reboot! You should now be booting as securely as possible (without a TPM), the only thing that is unencrypted is grub in the boot sector.
Unlock the hard drive for grub during boot:
... Attempting to decrypt master key... Enter passphrase for hd0,msdos1 (9a54eaa8959d6f5ae80ca8aac4f6cc879e761bf4):
Then unlock the hard drive for the Linux kernel.
Most of this How-To is a Fedora-specific re-work of http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/. Credit given where credit is due.