Re: [DNG] Complete system HDD encryption w/o LLVM.
On Tue, Sep 29, 2020 at 07:57:46PM +0100, g4sra via Dng wrote: > > If you include the "initramfs" option in /etc/crypttab, keys noted in > > entries marked with that will be automatically included. > > > > Not in the scripts I had, they explicitly excluded any keys for the root > filesystem because Debian Devs know better than me (including them in an > initramfs is insecure). Ah, sorry. I was thinking of filesystems to be unlocked, not key data itself. I include "initramfs" in crypttab and I use passphrases on boot, and that keyword is what enables the prompt for the filesystem(s) in question. I sometimes have others that use keys that are on the encrypted root, and those don't specify "initramfs" as they can wait until the normal boot phase. Only vaguely related, something I haven't played with yet that I'd like to: https://github.com/latchset/clevis -- Mason Loring Blissma...@blisses.org They also surf, who only stand on waves. signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On Tue, Sep 29, 2020 at 08:58:42PM +0700, Андрей via Dng wrote: > Hello. > > > I've seen on the DeVuan web wite an article on complete system HDD > encryption using LLVM. I have tried that one and found that it is > impossible to change partiotion sizes once it was autopartiotioned, > using LLVM full system HDD encryption. You probably mean LVM. > > Question is, Is it possible to to achieve same goal without LLVM -- > i.e. to partition system HDD with fdisk, and then still have full > encryption? > > Thanks for any advance. > > > Andrey. > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 9/29/20 9:58 AM, Андрей via Dng wrote: > Question is, Is it possible to to achieve same goal without LLVM -- > i.e. to partition system HDD with fdisk, and then still have full > encryption? > Another way to do it is with the live-isos (using refractainstaller). Select encryption for the root partition and do not select a separate partition for /boot. You can also select a separate partition for /home, and if you encrypt that, you will have to enter the passphrase to unlock each partition. You can change that to a keyfile after the install. The default for the live installer is to use a swap file on the root partition, so that will be part of the encrypted filesystem. One thing I find annoying with having /boot encrypted is that grub is very slow to respond to the passphrase. And then you have to enter it again for the root partition. fsmithred 0xA73823D3094C5620.asc Description: application/pgp-keys ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 10/1/20 4:42 AM, Steve Litt wrote: On Tue, 29 Sep 2020 20:58:42 +0700 Андрей via Dng wrote: I've seen on the DeVuan web wite an article on complete system HDD encryption using LLVM. I have tried that one and found that it is impossible to change partiotion sizes once it was autopartiotioned, using LLVM full system HDD encryption. If your /home partition is encrypted, and any other "data" partitions are encrypted, and perhaps your swap partition is encrypted (is that possible?) then I think it's pretty easy. Why would one need /usr and /etc and /var encrypted? /etc/ to prevent adversaries with physical access from reading your configuration /usr/ to prevent adversaries with physical access from replacing binaries /var/ mixture of the above. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 10/1/20 2:30 PM, Olaf Meeuwissen via Dng wrote: - /etc? 'cause you might end up saving clear text passwords there ... Oh! I found one below/etc/wpa_supplicant/. There might be others. could also be clear-text : smtp account password(s), network-manager saves connection passwords there, system backup passwords, mysql also has debian-sys-maint password. and there are probably more clear-text examples in /etc/ apart from clear-text passwords, most encryption keys for daemons are stored in /etc. -/var? Eh, /var/spool/ may have mail and print jobs, at least for some time./var/log/ may contain sensitive stuff ... + /var/lib is mostly data.. mysql data, dns data, tor data, etc. /var/backups -- and yes, swap can be encrypted too, very very easily. OpenPGP_signature Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
Hi Steve, Steve Litt writes: > On Tue, 29 Sep 2020 20:58:42 +0700 > Андрей via Dng wrote: > >> Hello. >> >> >> I've seen on the DeVuan web wite an article on complete system HDD >> encryption using LLVM. I have tried that one and found that it is >> impossible to change partiotion sizes once it was autopartiotioned, >> using LLVM full system HDD encryption. > > If your /home partition is encrypted, and any other "data" partitions > are encrypted, and perhaps your swap partition is encrypted (is that > possible?) then I think it's pretty easy. Why would one need /usr and > /etc and /var encrypted? - /usr? Depends on what gets stuffed under /usr/local/ - /etc? 'cause you might end up saving clear text passwords there ... Oh! I found one below /etc/wpa_supplicant/. There might be others. - /var? Eh, /var/spool/ may have mail and print jobs, at least for some time. /var/log/ may contain sensitive stuff ... That said, I generally agree that for _most_ of *my* purposes there is no real need to have those trees encrypted. Still on the machine I am now typing this mail *everything* is, the whole of it from / on down. Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On Tue, 29 Sep 2020 20:58:42 +0700 Андрей via Dng wrote: > Hello. > > > I've seen on the DeVuan web wite an article on complete system HDD > encryption using LLVM. I have tried that one and found that it is > impossible to change partiotion sizes once it was autopartiotioned, > using LLVM full system HDD encryption. If your /home partition is encrypted, and any other "data" partitions are encrypted, and perhaps your swap partition is encrypted (is that possible?) then I think it's pretty easy. Why would one need /usr and /etc and /var encrypted? SteveT Steve Litt Autumn 2020 featured book: Thriving in Tough Times http://www.troubleshooters.com/thrive ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 29/09/2020 19:05, Mason Loring Bliss wrote: > On Tue, Sep 29, 2020 at 04:02:35PM +0100, g4sra via Dng wrote: > >> Copy /boot over onto / >> * rebuild the initramfs in the NEW /boot on / * >> ^^^ > ^^^ you will need to hack the initramfs-tools scripts or they will >> exclude the Luks key ^^^ > > If you include the "initramfs" option in /etc/crypttab, keys noted in > entries marked with that will be automatically included. > Not in the scripts I had, they explicitly excluded any keys for the root filesystem because Debian Devs know better than me (including them in an initramfs is insecure). > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On Tue, Sep 29, 2020 at 04:02:35PM +0100, g4sra via Dng wrote: > Copy /boot over onto / > * rebuild the initramfs in the NEW /boot on / * > ^^^ > ^^^ you will need to hack the initramfs-tools scripts or they will > exclude the Luks key ^^^ If you include the "initramfs" option in /etc/crypttab, keys noted in entries marked with that will be automatically included. -- Mason Loring Bliss (( If I have not seen as far as others, it is because ma...@blisses.org )) giants were standing on my shoulders. - Hal Abelson signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 29/09/2020 15:27, Mason Loring Bliss wrote: > On Tue, Sep 29, 2020 at 08:58:42PM +0700, Андрей via Dng wrote: > >> Question is, Is it possible to to achieve same goal without LLVM -- >> i.e. to partition system HDD with fdisk, and then still have full >> encryption? > > Yes, or at least, mostly. There needs to be unencrypted data that contains > the decryption code. GRUB itself can handle LUKS decryption, but that > would involve a manual installation. > > There are a number of ways to encrypt a system, in any event, and you can > certainly use the "manual" partitioning in the Debian installer to set up a > system that's largely encrypted, without LVM, but remember to supply an un- > encrypted /boot, as unless something's changed very recently, Debian (and > Devuan by extension) doesn't know to configure GRUB to unlock an encrypted > /boot. > > I found this that talks about encrypted /boot (or /boot on encrypted root) > but it would require manual installation, and I'm not sure how easy it'd be > to adapt Debian's GRUB scaffolding to accomodate it. Might be easy, might > be nearly impossible. But: > > https://wiki.archlinux.org/index.php/Grub#Encrypted_/boot Do it in stages: Stage 1 Devuan install CD: partition 1 unencrypted /boot partition 2 Luks encrypted everything else Stage 2 Copy /boot over onto / * rebuild the initramfs in the NEW /boot on / * ^^^ you will need to hack the initramfs-tools scripts or they will exclude the Luks key ^^^ Stage 3 Rip apart the new initramfs and confirm correctly built, repeat Stage 2 if not. Stage 4 - point of no return'ish Re-configure and re-install grub to load the kernel from partition 2 /boot Stage 5 - ok i lied, it's Linux and anything is recoverable almost Boot into recovery from the Devuan Install CD Re-install grub to boot the first partition kernel, the original /boot. Have a cup of coffee and work out what you did wrong and try Stage 2 on again :) I kept two differing grub configurations making life easier by symlinking, unencrypted in partition 1 /boot, encrypted in partition 2 /boot When you are satisfied, wipe partition 1. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On 29/09/2020 14:58, Андрей via Dng wrote: > Question is, Is it possible to to achieve same goal without LLVM -- > i.e. to partition system HDD with fdisk, and then still have full > encryption? Luks encrypt the whole HDD or a large partition first then overlay LVM to get resizeable volumes and snap-shotting etc. Check the current LUKS grub support, last time I checked grub only supports LUKS not LUKS2, an important consideration if you want /boot encrypted. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Complete system HDD encryption w/o LLVM.
On Tue, Sep 29, 2020 at 08:58:42PM +0700, Андрей via Dng wrote: > Question is, Is it possible to to achieve same goal without LLVM -- > i.e. to partition system HDD with fdisk, and then still have full > encryption? Yes, or at least, mostly. There needs to be unencrypted data that contains the decryption code. GRUB itself can handle LUKS decryption, but that would involve a manual installation. There are a number of ways to encrypt a system, in any event, and you can certainly use the "manual" partitioning in the Debian installer to set up a system that's largely encrypted, without LVM, but remember to supply an un- encrypted /boot, as unless something's changed very recently, Debian (and Devuan by extension) doesn't know to configure GRUB to unlock an encrypted /boot. I found this that talks about encrypted /boot (or /boot on encrypted root) but it would require manual installation, and I'm not sure how easy it'd be to adapt Debian's GRUB scaffolding to accomodate it. Might be easy, might be nearly impossible. But: https://wiki.archlinux.org/index.php/Grub#Encrypted_/boot -- Mason Loring Bliss (( If I have not seen as far as others, it is because ma...@blisses.org )) giants were standing on my shoulders. - Hal Abelson signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Complete system HDD encryption w/o LLVM.
Hello. I've seen on the DeVuan web wite an article on complete system HDD encryption using LLVM. I have tried that one and found that it is impossible to change partiotion sizes once it was autopartiotioned, using LLVM full system HDD encryption. Question is, Is it possible to to achieve same goal without LLVM -- i.e. to partition system HDD with fdisk, and then still have full encryption? Thanks for any advance. Andrey. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng