Encrypt full system

Post your tutorials and howtos here.
User avatar
Arjen Balfoort
Site Admin
Posts: 9518
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Encrypt full system

Postby Arjen Balfoort » 28 Aug 2020 13:38

[update: 29 August 2020 - added rsync backup/restore example, checked for BIOS systems]

I had to re-code the encryption part of the live installer, but perhaps there are users that would like to encrypt their system manually.

Assumptions
If using an EFI system: use gpt, for BIOS use msdos partition table.
cryptsetup-initramfs is installed.
You have root permissions.

System partitions (mount point, file system)
/dev/sda1 (/boot/efi (fat32) for EFI or /boot (ext4) for BIOS)
/dev/sda2 (swap, swap-linux)
/dev/sda3 (/, ext4)
/dev/sda4 (/home, ext4)

Live boot your system
Live boot your system and create a backup of the root and home partitions on an external drive.

This is an example using rsync (/dev/sdb1 is the backup partition).
Get root permissions (live password: solydxk) :

Code: Select all

su -
Create temporary directories and mount the partitions:

Code: Select all

mkdir /mnt/{sda3,sda4,sdb1}
mount /dev/sda3 /mnt/sda3
mount /dev/sda4 /mnt/sda4
mount /dev/sdb1 /mnt/sdb1
Backup root and home:

Code: Select all

rsync -aAXv --exclude={"*/dev/*","*/proc/*","*/sys/*","*/tmp/*","*/run/*","*/mnt/*","*/media/*","*/lost+found"} /mnt/sda3 /mnt/sdb1/
rsync -aAXv /mnt/sda4 /mnt/sdb1/
Unmount the partitions and remove the temporary directories:

Code: Select all

umount /mnt/{sda3,sda4,sdb1}
rmdir /mnt/{sda3,sda4,sdb1}
Encrypting
I only show the steps for the root partition. Do the same for /home and if you want for swap.
I use LUKS1 because at the moment of writing Grub2 did not support LUKS2, yet.
Support for LUKS2 was announced on 10 January 2020: https://git.savannah.gnu.org/cgit/grub. ... 70b49f9755
However, if you prefer, you can encrypt the non-bootable partitions with LUKS2. So, any partition except boot (EFI systems) and root partitions. You then can replace "--type luks1" with "--type luks2".

Replace [my_password] with your password. You can change the password for each partition.
Replace [my_label] with the label you wish for that partition.

Get root permissions (live password: solydxk) and make sure the partition is not mounted:

Code: Select all

su -
umount /dev/sda3
Encrypt the partition:

Code: Select all

printf "[my_password]" | cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random --type luks1 --iter-time 5000 luksFormat /dev/sda3
Open the partition (you will find it in /dev/mapper):

Code: Select all

printf "[my_password]" | cryptsetup open /dev/sda3 sda3
Format the mapped partition:

Code: Select all

mkfs.ext4 -q -L "[my_label]" /dev/mapper/sda3
Formatting the swap partition:

Code: Select all

mkswap -L "[my_label]" /dev/mapper/sda2
Restore the backup
Create temporary directories and mount the partitions:

Code: Select all

mkdir /target /mnt/sdb1
mount /dev/mapper/sda3 /target
mount /dev/sdb1 /mnt/sdb1
Restore root:

Code: Select all

rsync -aAXv /mnt/sdb1/sda3/ /target
Restore home:

Code: Select all

mkdir /target/home
mount /dev/mapper/sda4 /target/home
rsync -aAXv /mnt/sdb1/sda4/ /target/home
Create keys
I would not like to type my password more than one time during boot. So, we need to create the encryption keys for the /home and swap partitions.

Code: Select all

mkdir /target/keys
dd if=/dev/urandom of=/target/keys/sda3.key bs=512 count=8 iflag=fullblock
chmod 0400 /target/keys/sda3.key
printf "[my_password_for_sda3]" | cryptsetup luksAddKey /dev/sda3 /target/keys/sda3.key
You can do the same for the /home and swap partition. Make sure to replace sda3 with the corresponding names.

Configure the new system
Now that encrypted your partitions, the partitions have new UUIDs which we need to write to fstab and crypttab.
I am going to use the actual UUIDs from the output of blkid. Replace the UUIDs with yours.

Get the current UUIDs

Code: Select all

blkid
Output:

Code: Select all

/dev/sda1: UUID="AE99-1A73" TYPE="vfat" PARTUUID="44444d36-6516-4a2e-881f-36c531f0d287"
/dev/sda2: UUID="74dad0ff-04df-43b1-97f3-2228c4ac2bf6" TYPE="crypto_LUKS" PARTUUID="31565fd5-3321-4656-a436-88feb3eeaae1"
/dev/sda3: UUID="de951f8d-8816-42f7-946b-be1e51f9d00f" TYPE="crypto_LUKS" PARTUUID="2f010551-b825-43c2-9805-9fc8f4cdcb06"
/dev/sda4: UUID="5bc7aefa-d455-4494-a8ad-8483f3fecdf2" TYPE="crypto_LUKS" PARTUUID="59af52d5-66c0-4aef-8fd3-8d66e4103b6a"
Edit /target/etc/crypttab

Code: Select all

# <target name>	<source device>	<key file>	<options>
sda3 UUID=de951f8d-8816-42f7-946b-be1e51f9d00f /keys/sda3.key luks
sda4 UUID=5bc7aefa-d455-4494-a8ad-8483f3fecdf2 /keys/sda4.key luks
sda2 UUID=74dad0ff-04df-43b1-97f3-2228c4ac2bf6 /keys/sda2.key swap,luks
On a non-efi system you would have to replace /keys/sda3.key with none.

Edit /target/etc/fstab

Code: Select all

# <file system>	<mount point>	<type>	<options>	<dump>	<pass>
/dev/mapper/sda3	/	ext4	rw,noatime,errors=remount-ro	0	1
UUID=AE99-1A73	/boot/efi	vfat	defaults	0	0
/dev/mapper/sda4	/home	ext4	rw,noatime,errors=remount-ro	0	2
/dev/mapper/sda2	swap	swap	sw	0	0
Edit /target/etc/cryptsetup-initramfs/conf-hook

Code: Select all

CRYPTSETUP=y
KEYFILE_PATTERN="/keys/*.key"
Edit /target/etc/initramfs-tools/initramfs.conf

Code: Select all

UMASK=0077
Edit /target/etc/default/grub
Note: in virtualbox you need to remove "splash" from GRUB_CMDLINE_LINUX_DEFAULT before you run update-grub.

Code: Select all

GRUB_ENABLE_CRYPTODISK=y
Chroot into the target system

Code: Select all

mknod -m 600 /target/dev/console c 5 1 2>/dev/null
mknod -m 666 /target/dev/null c 1 3 2>/dev/null
mount -v --bind /dev /target/dev
mount -vt devpts devpts /target/dev/pts -o gid=5,mode=620
mount -vt proc proc /target/proc
mount -vt sysfs sysfs /target/sys
mount -vt tmpfs tmpfs /target/run
chroot /target
Install grub on efi system
Solydxk uses its own id, e.g.: solydxk10
mount /dev/sda1 /boot/efi
grub-install --efi-directory=/boot/efi --bootloader-id="solydxk10" /dev/sda[/code]

Install grub on a non-efi system:
mount /dev/sda1 /boot
grub-install /dev/sda

Update grub and initramfs

Code: Select all

update-grub
update-initramfs -u -k all
exit
Cleanup and reboot

Code: Select all

umount /target/{run,sys,proc,dev/pts,dev}
umount /target
Reboot into the new system.
You will be asked for the password of the root partition once (if twice, you forgot to add the root key to crypttab), but not for the home and swap partitions. The generated keys are used for these partitions.

I hope I have covered it all, but please fill in the blanks if I have missed something.

If you feel the need to use LUKS2 you can convert a partition like this:

Code: Select all

cryptsetup convert /dev/sda4 --type luks2
If you want to do that with your root partition you will need to have an unencrypted /boot partition or your system will be unbootable (until Grub supports LUKS2).


SolydXK needs you!
Development | Testing | Translations

Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 3 guests