Difference between revisions of "Full Disk Encryption"

From NixOS Wiki
Jump to: navigation, search
m (Added further reading link with a guide on FDE using detached LUKS header and separate boot partition)
m (fixing small issue in boot config, canTouchEfiVariables is under efi)
 
(8 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
There are a few options for full disk encryption.
 
There are a few options for full disk encryption.
  
= Basic Installation =
+
= Enter password on Boot (LVM on LUKS) =
 +
 
 +
In this example, everything except for the <code>/boot</code> partition is encrypted.
 +
This includes the root and swap partitions.
 +
A password must be entered during boot to unlock the encrypted filesystems.
 +
 
 +
The main drive (here the <code>sda</code> block device) will need two partitions:
 +
# An unencrypted <code>/boot</code> partition (EFI system partition) formatted as FAT.
 +
# A LUKS-encrypted logical volume group for everything else (swap and <code>/</code>).
 +
 
 +
When unlocked and mounted, it will look like this:
 +
 
 +
<syntaxhighlight lang="text">
 +
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
 +
sda            8:0    0 233.8G  0 disk
 +
├─sda1          8:1    0  500M  0 part  /boot
 +
└─sda2          8:2    0 233.3G 0 part
 +
  └─root      254:0    0 233.3G  0 crypt
 +
    ├─vg-swap 254:1    0    8G  0 lvm  [SWAP]
 +
    └─vg-root 254:2    0 225.3G  0 lvm  /
 +
</syntaxhighlight>
 +
 
 +
The initrd needs to be configured to unlock the encrypted <code>/dev/sda2</code> partition during stage 1 of the boot process.
 +
To do this, add the following options (replacing <code>UUID-OF-SDA2</code> with the actual UUID of the encrypted partition <code>/dev/sda2</code>. -- You can find it using <code>lsblk -f</code> or <code>sudo blkid -s UUID /dev/sda2</code>.)
 +
 
 +
<syntaxhighlight lang="nix">
 +
    boot = {
 +
      loader = {
 +
        efi.canTouchEfiVariables = true;
 +
        grub = {
 +
          enable = true;
 +
          device = "nodev";
 +
          efiSupport = true;
 +
        };
 +
      };
 +
      initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";
 +
    };
 +
</syntaxhighlight>
 +
 
 +
With <code lang="nix">initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";</code>, the initrd knows it must unlock <code>/dev/sda2</code> before activating LVM and proceeding with the boot process.
  
 
= Unattended Boot via USB =
 
= Unattended Boot via USB =
Line 8: Line 47:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
dd if=/dev/urandom of=hdd.key bs=4096 count=1
+
dd if=/dev/random of=hdd.key bs=4096 count=1
 
cryptsetup luksAddKey /dev/sda1 ./hdd.key
 
cryptsetup luksAddKey /dev/sda1 ./hdd.key
 
</syntaxhighlight>
 
</syntaxhighlight>
 
== Option 1: Write key onto the start of the stick ==
 
== Option 1: Write key onto the start of the stick ==
  
This will make the usb-stick unusable for any other operations than being used for decryption. Write they key onto the stick: <code>dd if=hdd.key of=/dev/sdb</code>.
+
This will make the usb-stick unusable for any other operations than being used for decryption. Write they key onto the stick:
 +
 
 +
<syntaxhighlight lang="bash">
 +
dd if=hdd.key of=/dev/sdb
 +
</syntaxhighlight>
  
 
Then add the following configuration to your <code>configuration.nix</code>:
 
Then add the following configuration to your <code>configuration.nix</code>:
Line 31: Line 74:
 
         keyFile = "/dev/sdb";
 
         keyFile = "/dev/sdb";
 
       };
 
       };
  };
 
}</syntaxhighlight>
 
As of right now (2017-08-18) the NixOS options do not provide means to hide a key after the MBR as described in [https://bbs.archlinux.org/viewtopic.php?id=158507 this article in the archlinux forums]. More specificially you will need to be able to provide a keyOffset
 
 
With NixOS 20.04 the syntax has changed slightly:
 
<syntaxhighlight lang="nix">{
 
  "..."
 
 
  boot.initrd.luks.devices.luksroot = {
 
    device = "/dev/disk/by-id/<disk-name>-part2";
 
    allowDiscards = true;
 
    keyFileSize = 4096;
 
    # pinning to /dev/disk/by-id/usbkey works
 
    keyFile = "/dev/sdb";
 
 
   };
 
   };
 
}</syntaxhighlight>
 
}</syntaxhighlight>
 
  
 
== Option 2: Copy Key as file onto a vfat usb stick ==
 
== Option 2: Copy Key as file onto a vfat usb stick ==
Line 78: Line 106:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
== Option 3: Full disk encryption (encrypted /boot) with password ==
 
 
Partition formatting will be : one partition with LVM on LUKS, and the other in FAT. (EFI partition)
 
The LVM partition contains both the swap and the root filesystem.
 
This only works with LUKS1 partition because Grub doesn't know LUKS2, so make sure to pass the argument --type luks1 to cryptsetup when creating the LUKS partition.
 
 
<syntaxhighlight lang="bash">
 
NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
 
sda            8:0    0 233.8G  0 disk
 
├─sda1          8:1    0  500M  0 part  /boot/efi
 
└─sda2          8:2    0 233.3G  0 part
 
  └─root      254:0    0 233.3G  0 crypt
 
    ├─vg-swap 254:1    0    8G  0 lvm  [SWAP]
 
    └─vg-root 254:2    0 225.3G  0 lvm  /
 
</syntaxhighlight>
 
 
- mount your EFI partition (here /dev/sda1) as /boot/efi.
 
- generate your nixos config
 
- add the following options : (replace TODO by the UUID in /dev/disk/by-uuid pointing to the partition containing the encrypted part. -- You can also do lsblk -f.)
 
<syntaxhighlight lang="nix">
 
    boot.loader.efi.canTouchEfiVariables = true;
 
    boot.loader.grub = {
 
      enable = true;
 
      version = 2;
 
      device = "nodev";
 
      efiSupport = true;
 
      enableCryptodisk = true;
 
    };
 
    boot.loader.efi.efiSysMountPoint = "/boot/efi";
 
    boot.initrd.luks.devices = {
 
        root = {
 
          device = "/dev/disk/by-uuid/TODO";
 
          preLVM = true;
 
        };
 
    };
 
</syntaxhighlight>
 
 
= zimbatm's laptop recommendation =
 
= zimbatm's laptop recommendation =
  
 
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this:
 
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this:
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="text">
 
   8        0  500107608 sda
 
   8        0  500107608 sda
 
   8        1    266240 sda1      - the EFI partition
 
   8        1    266240 sda1      - the EFI partition
Line 130: Line 122:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
# format the disk with the luks structure
+
# format the partition with the luks structure
$ cryptsetup luksFormat /dev/sda4
+
cryptsetup luksFormat /dev/sda4
 
# open the encrypted partition and map it to /dev/mapper/cryptroot
 
# open the encrypted partition and map it to /dev/mapper/cryptroot
$ cryptsetup luksOpen /dev/sda4 cryptroot
+
cryptsetup luksOpen /dev/sda4 cryptroot
 
# format as usual
 
# format as usual
$ mkfs.ext4 -L nixos /dev/mapper/cryptroot
+
mkfs.ext4 -L nixos /dev/mapper/cryptroot
 
# mount
 
# mount
$ mount /dev/disk/by-label/nixos /mnt
+
mount /dev/disk/by-label/nixos /mnt
$ mkdir /mnt/boot
+
mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot
+
mount /dev/sda1 /mnt/boot
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 188: Line 180:
 
}
 
}
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
= Unlocking secondary drives =
 +
 +
Consider the following example: a secondary hard disk <code>/dev/sdb</code> is to be LUKS-encrypted and unlocked during boot, in addition to <code>/dev/sda</code>.
 +
 +
Encrypt the drive and create the filesystem on it (LVM is used in this example):
 +
<syntaxhighlight lang="bash">
 +
cryptsetup luksFormat --label CRYPTSTORAGE /dev/sdb
 +
cryptsetup open /dev/sdb cryptstorage
 +
pvcreate /dev/mapper/cryptstorage
 +
vgcreate vg-storage /dev/mapper/cryptstorage
 +
lvcreate -l 100%FREE -n storage vg-storage
 +
mkfs.ext4 -L STORAGE /dev/vg-storage/storage
 +
</syntaxhighlight>
 +
 +
To unlock this device on boot in addition to the encrypted root filesystem, there are two options:
 +
 +
=== Option 1: Unlock before boot using a password ===
 +
 +
Set the following in <code>configuration.nix</code> (replacing <code>UUID-OF-SDB</code> with the actual UUID of <code>/dev/sdb</code>):
 +
<syntaxhighlight lang="nix">
 +
{
 +
  boot.initrd.luks.devices.cryptstorage.device = "/dev/disk/by-uuid/UUID-OF-SDB";
 +
}
 +
</syntaxhighlight>
 +
During boot, a password prompt for the second drive will be displayed. Passwords previously entered are tried automatically to also unlock the second drive. This means that if you use the same passwords to encrypt both your main and secondary drives, you will only have to enter it once to unlock both.
 +
 +
The decrypted drive will be unlocked and made available under <code>/dev/mapper/cryptstorage</code> for mounting.
 +
 +
One annoyance with this approach is that reusing entered passwords only happens on the initial attempt. If you mistype the password for your main drive on the first try, you will now have to re-enter it twice, once for the main drive and again for the second drive, even if the passwords are the same.
 +
 +
=== Option 2: Unlock after boot using crypttab and a keyfile ===
 +
 +
Alternatively, you can create a keyfile stored on your root partition to unlock the second drive just before booting completes. This can be done using the <code>/etc/crypttab</code> file (see manpage <code>crypttab(5)</code>).
 +
 +
First, create a keyfile for your secondary drive, store it safely and add it as a LUKS key:
 +
<syntaxhighlight lang="bash">
 +
dd bs=512 count=4 if=/dev/random of=/root/mykeyfile.key iflag=fullblock
 +
chmod 400 /root/mykeyfile.key
 +
cryptsetup luksAddKey /dev/sdb /root/mykeyfile.key
 +
</syntaxhighlight>
 +
 +
Next, create <code>/etc/crypttab</code> in <code>configuration.nix</code> using the following option (replacing <code>UUID-OF-SDB</code> with the actual UUID of <code>/dev/sdb</code>):
 +
<syntaxhighlight lang="nix">
 +
{
 +
  environment.etc.crypttab.text = ''
 +
    cryptstorage UUID=UUID-OF-SDB /root/mykeyfile.key
 +
  ''
 +
}
 +
</syntaxhighlight>
 +
 +
With this approach, the secondary drive is unlocked just before the boot process completes, without the need to enter its password.
 +
 +
Again, the secondary drive will be unlocked and made available under <code>/dev/mapper/cryptstorage</code> for mounting.
  
 
= Further reading =
 
= Further reading =
Line 196: Line 242:
 
* Have a look at https://wiki.archlinux.org/index.php/Disk_encryption to see all the possible options. This wiki page is not complete.
 
* Have a look at https://wiki.archlinux.org/index.php/Disk_encryption to see all the possible options. This wiki page is not complete.
 
* [https://gist.github.com/ladinu/bfebdd90a5afd45dec811296016b2a3f Installation with encrypted /boot]
 
* [https://gist.github.com/ladinu/bfebdd90a5afd45dec811296016b2a3f Installation with encrypted /boot]
* [[Remote LUKS Unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]].
+
* [[Remote disk unlocking|Using Tor and SSH to unlock your LUKS Disk over the internet]].
 +
* [[Bcachefs]], filesystem which supports native encryption

Latest revision as of 11:13, 9 April 2024

There are a few options for full disk encryption.

Enter password on Boot (LVM on LUKS)

In this example, everything except for the /boot partition is encrypted. This includes the root and swap partitions. A password must be entered during boot to unlock the encrypted filesystems.

The main drive (here the sda block device) will need two partitions:

  1. An unencrypted /boot partition (EFI system partition) formatted as FAT.
  2. A LUKS-encrypted logical volume group for everything else (swap and /).

When unlocked and mounted, it will look like this: 

NAME          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda             8:0    0 233.8G  0 disk
├─sda1          8:1    0   500M  0 part  /boot
└─sda2          8:2    0 233.3G  0 part
  └─root      254:0    0 233.3G  0 crypt
    ├─vg-swap 254:1    0     8G  0 lvm   [SWAP]
    └─vg-root 254:2    0 225.3G  0 lvm   /

The initrd needs to be configured to unlock the encrypted /dev/sda2 partition during stage 1 of the boot process. To do this, add the following options (replacing UUID-OF-SDA2 with the actual UUID of the encrypted partition /dev/sda2. -- You can find it using lsblk -f or sudo blkid -s UUID /dev/sda2.) 

    boot = {
      loader = {
        efi.canTouchEfiVariables = true;
        grub = {
          enable = true;
          device = "nodev";
          efiSupport = true;
        };
      };
      initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";
    };

With initrd.luks.devices.cryptroot.device = "/dev/disk/by-uuid/UUID-OF-SDA2";, the initrd knows it must unlock /dev/sda2 before activating LVM and proceeding with the boot process.

Unattended Boot via USB

Sometimes it is necessary to boot a system without needing an keyboard and monitor. You will create a secret key, add it to a key slot and put it onto an USB stick. 

dd if=/dev/random of=hdd.key bs=4096 count=1
cryptsetup luksAddKey /dev/sda1 ./hdd.key

Option 1: Write key onto the start of the stick

This will make the usb-stick unusable for any other operations than being used for decryption. Write they key onto the stick: 

dd if=hdd.key of=/dev/sdb

Then add the following configuration to your configuration.nix: 

{
  "..."

  # Needed to find the USB device during initrd stage
  boot.initrd.kernelModules = [ "usb_storage" ]; 

  boot.initrd.luks.devices = {
      luksroot = {
         device = "/dev/disk/by-id/<disk-name>-part2";
         allowDiscards = true;
         keyFileSize = 4096;
         # pinning to /dev/disk/by-id/usbkey works
         keyFile = "/dev/sdb";
      };
  };
}

Option 2: Copy Key as file onto a vfat usb stick

If you want to use your stick for other stuff or it already has other keys on it you can use the following method by Tzanko Matev. Add this to your configuration.nix: 

let
  PRIMARYUSBID = "b501f1b9-7714-472c-988f-3c997f146a17";
  BACKUPUSBID = "b501f1b9-7714-472c-988f-3c997f146a18";
in {

  "..."

  # Kernel modules needed for mounting USB VFAT devices in initrd stage
  boot.initrd.kernelModules = ["uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"];

  # Mount USB key before trying to decrypt root filesystem
  boot.initrd.postDeviceCommands = pkgs.lib.mkBefore ''
    mkdir -m 0755 -p /key
    sleep 2 # To make sure the usb key has been loaded
    mount -n -t vfat -o ro `findfs UUID=${PRIMARYUSBID}` /key || mount -n -t vfat -o ro `findfs UUID=${BACKUPUSBID}` /key
  '';

  boot.initrd.luks.devices."crypted" = {
    keyFile = "/key/keyfile";
    preLVM = false; # If this is true the decryption is attempted before the postDeviceCommands can run
  };
}

zimbatm's laptop recommendation

Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this: 

   8        0  500107608 sda
   8        1     266240 sda1       - the EFI partition
   8        2      16384 sda2
   8        3  127388672 sda3
   8        4  371409920 sda4    - the NixOS root partition
   8        5    1024000 sda5

Boot the NixOS installer and partition things according to your taste. What we are then going to do is prepare sda4 with a luks encryption layer: 

# format the partition with the luks structure
cryptsetup luksFormat /dev/sda4
# open the encrypted partition and map it to /dev/mapper/cryptroot
cryptsetup luksOpen /dev/sda4 cryptroot
# format as usual
mkfs.ext4 -L nixos /dev/mapper/cryptroot
# mount
mount /dev/disk/by-label/nixos /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

Now keep installing as usual, nixos-generate-config should detect the right partitioning. You should have something like this in your /etc/nixos/hardware-configuration.nix: 

{ # cut
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/5e7458b3-dcd2-49c6-a330-e2c779e99b66";
      fsType = "ext4";
    };

  boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/d2cb12f8-67e3-4725-86c3-0b5c7ebee3a6";

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/863B-7B32";
      fsType = "vfat";
    };

  swapDevices = [ ];
}

To create a swap add the following in your /etc/nixos/configuration.nix: 

{
  swapDevices = [{device = "/swapfile"; size = 10000;}];
}

Perf test

# compare
nix-shell -p hdparm --run "hdparm -Tt /dev/mapper/cryptroot"
# with
nix-shell -p hdparm --run "hdparm -Tt /dev/sda1"

I had to add a few modules to initrd to make it fast. Since cryptroot is opened really early on, all the AES descryption modules should already be made available. This obviously depends on the platform that you are on. 

{
   boot.initrd.availableKernelModules = [
    "aesni_intel"
    "cryptd"
  ];
}

Unlocking secondary drives

Consider the following example: a secondary hard disk /dev/sdb is to be LUKS-encrypted and unlocked during boot, in addition to /dev/sda.

Encrypt the drive and create the filesystem on it (LVM is used in this example): 

cryptsetup luksFormat --label CRYPTSTORAGE /dev/sdb
cryptsetup open /dev/sdb cryptstorage
pvcreate /dev/mapper/cryptstorage
vgcreate vg-storage /dev/mapper/cryptstorage
lvcreate -l 100%FREE -n storage vg-storage
mkfs.ext4 -L STORAGE /dev/vg-storage/storage

To unlock this device on boot in addition to the encrypted root filesystem, there are two options:

Option 1: Unlock before boot using a password

Set the following in configuration.nix (replacing UUID-OF-SDB with the actual UUID of /dev/sdb): 

{
  boot.initrd.luks.devices.cryptstorage.device = "/dev/disk/by-uuid/UUID-OF-SDB";
}

During boot, a password prompt for the second drive will be displayed. Passwords previously entered are tried automatically to also unlock the second drive. This means that if you use the same passwords to encrypt both your main and secondary drives, you will only have to enter it once to unlock both.

The decrypted drive will be unlocked and made available under /dev/mapper/cryptstorage for mounting.

One annoyance with this approach is that reusing entered passwords only happens on the initial attempt. If you mistype the password for your main drive on the first try, you will now have to re-enter it twice, once for the main drive and again for the second drive, even if the passwords are the same.

Option 2: Unlock after boot using crypttab and a keyfile

Alternatively, you can create a keyfile stored on your root partition to unlock the second drive just before booting completes. This can be done using the /etc/crypttab file (see manpage crypttab(5)).

First, create a keyfile for your secondary drive, store it safely and add it as a LUKS key: 

dd bs=512 count=4 if=/dev/random of=/root/mykeyfile.key iflag=fullblock
chmod 400 /root/mykeyfile.key
cryptsetup luksAddKey /dev/sdb /root/mykeyfile.key

Next, create /etc/crypttab in configuration.nix using the following option (replacing UUID-OF-SDB with the actual UUID of /dev/sdb): 

{
   environment.etc.crypttab.text = ''
    cryptstorage UUID=UUID-OF-SDB /root/mykeyfile.key
  ''
}

With this approach, the secondary drive is unlocked just before the boot process completes, without the need to enter its password.

Again, the secondary drive will be unlocked and made available under /dev/mapper/cryptstorage for mounting.

Further reading

Retrieved from "https://nixos.wiki/index.php?title=Full_Disk_Encryption&oldid=12947"