Skip to content

Instantly share code, notes, and snippets.

@warewolf warewolf/ Secret
Created Jun 3, 2015

What would you like to do?
Fedora 21 (or 22) Full Disk Encryption (including /boot!) How-To

Fedora 21 (or 22) Full Disk Encryption (including /boot!) How-To.

Note: This is not for the inexperienced! This is a very quick and dirty hack. If you don't know/understand how to use grub's rescue mode (the dreaded grub> prompt when things go bad) you will want to steer clear of this how-to.


  • A USB Flash drive (at least 500 MB)
  • A computer to install Fedora on
  • Install media (I leave this up to you, but I use iPXE, a modified version of robinsmidsrod's setup)

System Preparation

Unfortunately the Fedora installer steadfast refuses to let you format and create a brand new install with /boot on different media than what / is on. So you're going to have to drop to the rescue shell in the installer with Ctrl-Alt-F2.

Assuming your system's primary hard drive (SATA, SAS, whatevs) is /dev/sda, and your USB flash drive is /dev/sdb:

Make your whole-disk partition on /dev/sda:

  • fdisk /dev/sda
  1. Create a (n)ew partition: n<enter>
  2. Primary: p<enter>
  3. Partition #1: 1<enter>
  4. Starting Sector whatever (default): <enter>
  5. Ending Sector whatever (default): <enter>
  6. Change the partition type to e8 (Linux Luks): t e8<enter>
  7. Write the changes: w<enter>

Format the whole disk partition with Luks

  • cryptsetup luksFormat /dev/sda1 You'll type "YES" in all caps and then your password.
  • cryptsetup luksOpen /dev/sda1 crypted
  • pvcreate /dev/mapper/crypted
  • vgcreate vg_encrypted /dev/mapper/crypted

Create some basic partitions to be used by the installer later

  • lvcreate -n root -L 20G vg_encrypted
  • lvcreate -n swap -L 32G vg_encrypted
  • fdisk /dev/sdb - new, primary, 1st partition, default start, +500M end, w to write and quit.
  • mkfs.ext4 /dev/sdb1

Unmount everything

  • vgchange -an
  • cryptsetup luksClose /dev/sda1


If you did the above prep work from the installer, you may need to have it "re-scan" the disks during disk selection, or possibly reboot.

To re-scan: There's a little backwards-curve arrow (e.g. an "undo" button) that will have the installer go look at the disks again. This will cause it to discover that there's a Luks encrypted partition, and an already existing partition on the flash drive.

In the disk selection screen, select both the hard drive and USB flash drive for install targets. Select that you want to specify partitioning. It doesn't seem to matter if you select 'encrypt my data', because we'll be installing into an existing Luks container, and formatting volumes inside it.

Click 'Unknown' in the disk list, you should see Encrypted (LUKS) on the left, and a Passphrase: password box on the right. Enter the password you used to format the Luks container earlier.

You now should see the two LVM volumes we created earlier with lvcreate. Check the 'Reformat' checkbox on everything, set the Filesystem to ext4 for the / (root) LVM volume, do the same for the swap volume (make that one format as swap though), and then format /dev/sdb1 (the flash drive) as /boot.

Click done, and proceed through the install and reboot. Leave the USB flash drive plugged in. You may have to hit the <Esc> (escape) key during boot to see Fedora's unlock-encrypted-disk password prompt.

At this point the hard drive is encrypted, but the kernel and initial ram disk (in /boot) are not. Lets fix that:

Fixing the install

Now you've got a system installed that (oddly enough) put GRUB on /dev/sda (the internal HDD, not the USB flash drive), and depends on the files on the USB flash drive. I suppose the installer is smart enough to realize /dev/sda is "bios disk 0", the primary boot device. Anyway.

Move the contents of /boot to the encrypted root file system

Log in, click through the silly "Welcome to Fedora" and "How do I Computer?" Gnome-3 introduction, then Open a terminal, and become root (sudo su -).

  • umount /boot
  • mkdir /bootold
  • mount /dev/sdb1 /bootold
  • mv /bootold/* /boot
  • umount /bootold
  • rmdir /bootold

Now edit /etc/fstab, and remove the line that mounts /boot. That'll only get in the way of us booting off the internal HDD later.

Add the following line to /etc/default/grub


  • Rebuild the initial ramdisk with: dracut -f (why you ask? Because the initrd has references to the USB flash drive)
  • Rebuild the grub configuration with: grub2-mkconfig -o /boot/grub2/grub.cfg
  • Re-install grub to the boot sector with grub2-install /dev/sda

Remove the USB flash drive, and reboot! You should now be booting as securely as possible (without a TPM), the only thing that is unencrypted is grub in the boot sector.

Unlock the hard drive for grub during boot:

... Attempting to decrypt master key... Enter passphrase for hd0,msdos1 (9a54eaa8959d6f5ae80ca8aac4f6cc879e761bf4):

Then unlock the hard drive for the Linux kernel.

Most of this How-To is a Fedora-specific re-work of Credit given where credit is due.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.