Re: [qubes-users] Encrypt only part of SSD or How to encrypt after installation?
On Fri, August 3, 2018 3:53 pm, Steve Coleman wrote: > > On 08/03/18 03:56, Daniil .Travnikov wrote: > >> I installed Qubes 4.0 and in process of installation I created only >> >> >> /boot/efi 400MB >> / 240GB >> >> >> Even I set passphrase in some reason the '/' did not encrypted (maybe I >> did some mistake) and now I have non-encrypted 240Gb drive with Qubes >> OS. >> > > That's not a mistake. A computer can not boot from an encrypted > partition without a little magic to load the unencrypted executable image > first. I think Daniil is saying he manually set partitions, and tried to use the installer to LUKS encrypt "/", not "/boot/efi". >> I created this volumes manually because I need to install second OS - >> Windows 7 (multi-boot) on the rest of 250 GB on SSD drive. That's why I >> can't use the whole drive encryption. >> >> I need only the part of drive to be encrypted. >> >> >> >> >> Now as I can see I have 2 possible variations: >> >> >> 1. Encrypt this 240 GB part of Drive after Qubes 4.0 installation. Not sure how to do this after install. >> 2. Re-install Qubes 4.0 with right options in installation process. According to https://fedoraproject.org/wiki/Disk_Encryption_User_Guide, when creating an individual partition you can check the "Encrypt" checkbox. Try that for "/" when you re-install. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc28dba27ed4d92b612ed75a01602dce.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Encrypt only part of SSD or How to encrypt after installation?
On 08/03/18 03:56, Daniil .Travnikov wrote: I installed Qubes 4.0 and in process of installation I created only /boot/efi 400MB / 240GB Even I set passphrase in some reason the '/' did not encrypted (maybe I did some mistake) and now I have non-encrypted 240Gb drive with Qubes OS. That's not a mistake. A computer can not boot from an encrypted partition without a little magic to load the unencrypted executable image first. If its an Opal 2.0 compliant drive you can install a Pre-Boot Authentication (PBA) module that will run when the device it powered up, and prompt you for a password before the OS actually starts to boot, and the PBA will then unlock the boot partition so the OS boot cycle can start. There is source code for the PBA image so you can control what it actually does. How do you know if it's Opal? There will be a PSID number printed on the device. This PSID is the magic number/key needed to reset the device back to the factory default should you need to do so. It will *instantly* wipe everything on the device by changing the key, so be very careful. Actually using the device without doing anything special, the device is already encrypted but just using the default key. The tool to manage the device can be found here: sedutil-cli https://github.com/Drive-Trust-Alliance/sedutil/wiki/Command-Syntax Your distribution may have a similar utility by the name msed, but that is an older version of the above tool. To encrypt only part of the drive you will need to create a locking range that spans from the end of the partition table to the end of that region of the drive (your partition size), and set a password for that range, and install the PBA of your choice. After unlocking that range you then partition the drive, writing the disk tables/structures, and then install your stuff, after the range has already been encrypted. Locking ranges are very flexible and can even be use to make your boot partition read-only, or even hide the real partition table until after the drive has been unlocked. There is a lot of flexibility in the Opal design. I created this volumes manually because I need to install second OS - Windows 7 (multi-boot) on the rest of 250 GB on SSD drive. That's why I can't use the whole drive encryption. I need only the part of drive to be encrypted. Now as I can see I have 2 possible variations: 1. Encrypt this 240 GB part of Drive after Qubes 4.0 installation. 2. Re-install Qubes 4.0 with right options in installation process. Both ways I don't know how to realize. Could anybody knows? Thanks in advance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0a85e774-45ec-efb7-5462-bd3e4034bd1e%40jhuapl.edu. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Encrypt only part of SSD or How to encrypt after installation?
I installed Qubes 4.0 and in process of installation I created only /boot/efi 400MB / 240GB Even I set passphrase in some reason the '/' did not encrypted (maybe I did some mistake) and now I have non-encrypted 240Gb drive with Qubes OS. I created this volumes manually because I need to install second OS - Windows 7 (multi-boot) on the rest of 250 GB on SSD drive. That's why I can't use the whole drive encryption. I need only the part of drive to be encrypted. Now as I can see I have 2 possible variations: 1. Encrypt this 240 GB part of Drive after Qubes 4.0 installation. 2. Re-install Qubes 4.0 with right options in installation process. Both ways I don't know how to realize. Could anybody knows? Thanks in advance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/87f74640-531c-40e2-843d-20850bafc8a1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
