Hi,
For simplicity and flexibility I want /dev/sda1 as a LUKS volume, with on top
LVM, and inside the lvm the rootfs and swap.
Eliminating the separate /boot has several advantages:
- Smaller attack surface, only the MBR is in cleartext, and can later
probably be secured more easily. It can also be checked more easily.
- No maintenance: Having a separate /boot requires space to store all the
initramfs. Without a /boot, that space is shared with the rootfs. A too small
/boot can be an issue if the old initramfs are kept. One that is too big
consumes space.
Now an easy way to do it is the following:
# umount /boot
# mount /dev/sda1 /mnt # here sda1 is the /boot partition
# cp -ra /mnt/* /boot/*
# umount /mnt/
# vim /etc/fstab # remove /boot from the fstab
# echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
# mkinitramfs -c -k all
# update-grub
# grub-install /dev/sda # /dev/sda being the boot disk
However the password then needs to be typed twice:
- once in grub
- once in the initramfs
So the idea is to create a key:
# mkdir -p /etc/keys
# dd if=/dev/random of=/etc/keys/luks.key bs=512 count=16 iflag=fullblock
# ls -lah /etc/keys/luks.key # We verify the size
-rw-r--r-- 1 root root 8.0K 1 janv. 01:05 /etc/keys/luks.key
And to add it to the LUKS volume:
# cryptsetup luksAddKey /dev/sda2 /etc/keys/luks.key # /dev/sda2 is the
encrypted volume
Now:
- The initramfs is in / which is encrypted
- GRUB already asks for the passphrase and loads the initramfs from the
encrypted rootfs.
- The initramfs asks for the same password again (sic).
In parabola solving that is pretty easy:
- We add FILES="/etc/keys/luks.key" in /etc/mkinitcpio.conf
- We add "cryptkey=rootfs:/etc/keys/luks.key" to the kernel parameters. This
can be done by adding cryptkey=rootfs:/etc/keys/luks.key to
GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub.
It would be nice to easily be able to do it in Trisquel too, however I didn't
find yet a way that is:
- Easy enough for people used to the command line and the edition of
configuration files
- Has no maintenance and doesn't break during updates and so on
- Is very robust.
So far here's are my findings:
Adding a key inside /etc/crypttab for the volume which contains the rootfs
makes update-initramfs -c -k all output a warning ("cryptsetup: WARNING:
target /dev/sda2_crypt uses a key file, skipped") and the key isn't added to
the initramfs. This warning comes from /usr/share/initramfs-tools/hooks. By
reading that script I found that you can add a keyscript to the initramfs,
and various howto on the Internet seem to corroborate that finding.
However I'm not familiar at all with the debian style initramfs generation,
and I was wondering if there was rather an easy way to:
- Include the key inside the initramfs in a very clean manner
- Tell the initramfs to use that key, still in a very clean manner
Without needing to write a potentially fragile script, which:
- May break if the script isn't written well enough
- May break if busybox compilation options changes
- May break due to other changes in the initramfs
- Might be harder to use than just modifying one or more configuration files
to include the encryption key.
Denis.
