Full disk encryption with one password

asked 2017-03-03 20:54:42 -0600

Michael_G gravatar image

updated 2017-03-04 12:12:34 -0600

I am attempting to set up proper full disk encryption (including /boot partition). While I was successful, it is really annoying to have to type my passphrase twice (once for /boot, and again when grub tries to load my OS from /).

Following this article on Arch based distros, one can simply create a keyfile for the encrypted root partition, copy it to /cryptokeyfile.bin and add the relevant entry to the FILES part in mkinitcpio.conf (which adds the cryptokeyfile.bin file to the initial ramdisk, resulting in grub auto-unlocking the root file system).

My issue lies here: Fedora does not use mkinitcpio. Can anyone tell me how to accomplish the same on fedora?

edit retag flag offensive close merge delete

Comments

How are you doing it? I have my partitions encripted with luks, it only ask for password once when booting

aeperezt gravatar imageaeperezt ( 2017-03-03 21:03:11 -0600 )edit

@aeperezt, you are probably using the "standard LVM2 on LUKS setup" with /, /home, and maybe /swap encrypted but not /boot.

florian gravatar imageflorian ( 2017-03-04 00:29:29 -0600 )edit

@Michael_G : If Fedora is not using mkinitcpio, how are you accomplishing this step?

I don't see any advantage (cost-benefit) in encrypting /boot. Are hashed passwords even save?

florian gravatar imageflorian ( 2017-03-04 00:45:06 -0600 )edit

I installed Fedora the same way most people do (DVD) and selected the encrypt disk option and yes, by default that does NOT encrypt /boot. After I installed I manually formatted /boot, encrypted it, added GRUB_ENABLE_CRYPTODISK=y to my grub config and reinstalled grub. This results in grub asking me to decrypt /boot at startup, me being able to choose which kernel I wanna start with and then grub asking me again for a password for the root partition. Sorry if this is unclear, if anyone wants I can write a step-by-step guide on how to achieve this and put it on a pastebin?

Michael_G gravatar imageMichael_G ( 2017-03-04 12:06:04 -0600 )edit

@florian I am not an expert on encryption, but the reason I want to set this up is to have protection against someone modifying my initial ramdisk to load a custom kernel or otherwise malicious code (more info here ). And honestly, there is not really any downside to doing this (once properly set up) as far as I am aware. The only issue seems to be that on fedora, I cannot figure out how to store the keyfile for my root file system in the initial ramdisk file, resulting in me having to type two passwords on startup.

Michael_G gravatar imageMichael_G ( 2017-03-04 12:08:48 -0600 )edit