Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Manually set up encryption [SOLVED]
Manually set up encryption [SOLVED]
I want to install debian 10 with encryption on a notebook.
I can use the "lvm with encryption" option (guided partitioning).
But I want to mount /root on a separated partition, that is an unavailable option.
Do I need lvm to use encryption?
How can I set up encryption manually?
This pc is old, so it has the legacy bios.
It needs a different boot partition, I do not remember what is the difference from uefi.
I can use the "lvm with encryption" option (guided partitioning).
But I want to mount /root on a separated partition, that is an unavailable option.
Do I need lvm to use encryption?
How can I set up encryption manually?
This pc is old, so it has the legacy bios.
It needs a different boot partition, I do not remember what is the difference from uefi.
Last edited by Scorpion on 2020-07-26 15:15, edited 1 time in total.
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Manually set up encryption
Why ? /root is not supposed to be separated from the / filesystem. This is neither a good nor a useful idea.Scorpion wrote:But I want to mount /root on a separated partition
No, but it is convenient : multiple logical volumes can be contained in a single encrypted physical volume, so only one passphrase is required. If you create multiple encrypted volumes, a passphrase is required for each one.Scorpion wrote:Do I need lvm to use encryption?
Select manual partitioning instead of guided partitioning.Scorpion wrote:How can I set up encryption manually?
Create partitions.
Create encrypted volumes.
There is no difference wrt encryption. Neither BIOS nor UEFI handle encryption, so /boot must be left unencrypted in both cases. The EFI partition is not to be confused with /boot. It may be mounted on /boot, but not in Debian.Scorpion wrote:This pc is old, so it has the legacy bios.
It needs a different boot partition, I do not remember what is the difference from uefi.
(Actually /boot can be encrypted but the Debian installer does not support it out of the box.)
Re: Manually set up encryption
Because I login as root, so instead of /home I mount /root on a separate partition, but now that I am using timeshift seems pointless.Why ? /root is not supposed to be separated from the / filesystem. This is neither a good nor a useful idea.
This pc has only 1 hard disk that I will completely use with debian 10. This requires only 1 encrypted volume, right? At this point I can mount everything in the same partition, no separate /root or /home.No, but it is convenient : multiple logical volumes can be contained in a single encrypted physical volume, so only one passphrase is required. If you create multiple encrypted volumes, a passphrase is required for each one.
Since this is a notebook it won' t probably get new hard disks, but seems better to have lvm as you said.
My question was about the partitions, I remember that there was something different with the legacy bios.There is no difference wrt encryption. Neither BIOS nor UEFI handle encryption, so /boot must be left unencrypted in both cases. The EFI partition is not to be confused with /boot. It may be mounted on /boot, but not in Debian.
(Actually /boot can be encrypted but the Debian installer does not support it out of the box.)
When manually partitioning with a uefi pc (no lvm no encryption), I create a partition to be used as uefi bootable partition, size 500 MB.
Absolutely I do not require this to be encrypted.
Now I can see that the mount point is: /boot/efi. (Debian 10 pc upgraded from 9).
Maybe I have to simply select some other bootable partition option.
Then I create an ext 4 partition with mount point /, another optional ext4 partition with mount point /home (or /root in my case).
And (optional but useful) swap partition.
If I have to create a lvm with encryption I suppose that won' t be so easy.
I used the "lvm with encryption" option (guided partitioning). All files in the same partition.
I can see:
https://ibb.co/QfBkjg5 image link
Since I can view that after sda2 there is sda5 I suspect that there are some partitions to be set.
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Manually set up encryption
This is also a bad idea, and does not explain why you need a separate /root.Scorpion wrote:Because I login as root
A "physical volume" (PV) is an LVM container. It has nothing to do with a hard disk. It can be a whole disk, a partition, a RAID array, an encrypted volume...Scorpion wrote:This pc has only 1 hard disk
Only if you use LVM. If you do not use LVM, you need to create separate encrypted volumes for /, /root, swap...Scorpion wrote:This requires only 1 encrypted volume, right?
EFI boot requires an "EFI system partition".Scorpion wrote:My question was about the partitions, I remember that there was something different with the legacy bios.
BIOS boot on GPT may require a "BIOS boot" (bios_grub) partition (1 MB). Even when a BIOS boot partition is not required it is better to create one (more reliable).
Huh ?Scorpion wrote:Maybe I have to simply select some other bootable partition option.
Select manual partitioning.Scorpion wrote:If I have to create a lvm with encryption I suppose that won' t be so easy.
Create an ext4 partition for /boot.
Create a partition configured as physical volume for encryption.
Enter encryption submenu.
Create an encrypted volume with the the 2nd partition.
Exit encryption submenu.
Configure the encrypted volume as physical volume for LVM.
Enter LVM submenu.
Create a new volume group.
Add the encrypted volume as physical volume to the volume group.
Create logical volumes for /, /root, swap...
IMPORTANT : if you are unsure about volume sizes, leave free space in the volume group so that you can extend any logical volumes if needed.
Exit LVM submenu.
Configure each logical volume for what it is intended.
Without LVM :
Select manual partitioning.
Create an ext4 partition for /boot.
Create partitions configured as physical volumes for encryption for /, /root, swap...
Enter encryption submenu.
Create an encrypted volume with each encrypted partition.
Exit encryption submenu.
Configure each encrypted volume for what it is intended.
Re: Manually set up encryption
I love to use root.This is also a bad idea, and does not explain why you need a separate /root.
Separate /root (like separate /home), is needed when you reinstall or (fresh) update the system.
You erase all the system data (/) but leave /root (or /home) so you will keep all your personal data and configurations.
But now that I am using timeshift seems pointless.
If I select ext4 I can use it as mount point for /, /root, /home or /var etc.Huh ?
Or I can select something like "uefi bootable partition" it will automatically select the file type system and mount the /boot there.
The debian installer made it ext2 in the legacy bios pc, I do not know why it did not make it ext4.
Maybe there was some other legacy bios option (an option like when selecting ext4 or swap), anyway you answered:
So legacy bios use this extra "BIOS boot" (bios_grub) partition (1 MB) in addiction to the ext4 /boot partition, right?EFI boot requires an "EFI system partition".
BIOS boot on GPT may require a "BIOS boot" (bios_grub) partition (1 MB). Even when a BIOS boot partition is not required it is better to create one (more reliable).
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Manually set up encryption
Did you check what happens when the init system fails to mount /root and you try to open a session as root ?Scorpion wrote:Separate /root (like separate /home), is needed when you reinstall or (fresh) update the system.
Do not confuse the EFI system partition (FAT) and the /boot partition (any Unix-like filesystem supported by the boot loader).Scorpion wrote:If I select ext4 I can use it as mount point for /, /root, /home or /var etc.Or I can select something like "uefi bootable partition" it will automatically select the file type system and mount the /boot there.
Because the boot loader may not support ext4. GRUB 2 does. Unpatched GRUB legacy does not. Not sure about LILO.Scorpion wrote:The debian installer made it ext2 in the legacy bios pc, I do not know why it did not make it ext4.
No, legacy BIOS uses neither the BIOS boot partition nor the /boot partition. It only uses the boot disk MBR. GRUB 2 for BIOS boot (grub-pc) uses the BIOS boot partition when installed on a disk with a GPT partition table. The boot loader uses the /boot partition.Scorpion wrote:So legacy bios use this extra "BIOS boot" (bios_grub) partition (1 MB) in addiction to the ext4 /boot partition, right?
Re: Manually set up encryption
Until now that never happened.Did you check what happens when the init system fails to mount /root and you try to open a session as root ?
Re: Manually set up encryption [SOLVED]
I reinstalled the system with manual partitioning without lvm.
I have 3 encrypted partitions: /, /root and swap.
Why does it ask the password twice? Is it normal?
I have 3 encrypted partitions: /, /root and swap.
Why does it ask the password twice? Is it normal?
Re: Manually set up encryption [SOLVED]
It asks the password for / and swap, so not for /root.
Is there a way to type the password once?
It is the same for all the 3 partitions.
- cds60601
- df -h | participant
- Posts: 719
- Joined: 2017-11-25 05:58
- Location: Florida
- Has thanked: 133 times
- Been thanked: 63 times
Re: Manually set up encryption [SOLVED]
Ideally, you would use a password when the system boots. For other partitions after the fact, you could setup key files. Still have the passwords stored in the initial slot, but add the key for something like say, slot 1.
Then, you can direct /etc/cryptsetup to look only in a certain slot for the key thus only prompting you for the password one time. I like using both so I have a way in no matter what. for example, if the key files are missing, I can still access via password.
I'm being vague, but this is what I do for my system.
Supercalifragilisticexpialidocious
Re: Manually set up encryption [SOLVED]
With "a password when the system boots" do you mean grub password? It is not very safe.
I made and added a key to the swap partitions. I can see it with luksDump.
I edited /etc/crypttab to use the key file but is not working.
Confirms that the key file is fine.
I saw here https://unix.stackexchange.com/question ... ks-at-boot that I can use the keyutils package.
I tried the password caching script decrypt_keyctl and it works.
I made and added a key to the swap partitions. I can see it with luksDump.
I edited /etc/crypttab to use the key file but is not working.
Code: Select all
cryptsetup --test-passphrase -v --key-file /root/key luksOpen /dev/sda7
I saw here https://unix.stackexchange.com/question ... ks-at-boot that I can use the keyutils package.
I tried the password caching script decrypt_keyctl and it works.