You are not logged in.

Pages: 1

#1 2020-10-07 12:30:05

Arciere
Member
From: Torino, Italy
Registered: 2020-10-07
Posts: 59

Which disk encryption method to choose

Hello everybody,

I have read this guide several times, but I still have doubts. So I ask you directly in the hope that someone can advise me, among those listed in the aforementioned Wiki page, the best encryption method that best suits my case in particular.
What I would like to do is divide my 1 TB SSD into two distinct parts, then install Arch in the first portion of the disk which must be absolutely and completely encrypted. Subsequently, my intention would be to create as few partitions inside as possible: no SWAP, no /home separated from root, just one effectively encrypted partition.
Finally, in the future, I would like to install Windows on the remaining part of the disk, which must not be encrypted.
I am unable to say which of the various methods suggested by the guide is the best for me, as this is my first time installing Arch.
I just know that I would like to create as few partitions as possible and also, if possible (forgive me if this is stupid or unreasonable), also encrypt the boot partition, to avoid having to make it able to open a LUKS partition.

I thank in advance anyone who wants to help me.


The GRUB problems I am referring to are that, installing other Linux distros (for example Void), I had to modify the fstab file with UUID codes to allow GRUB to access an encrypted partition, and this procedure cost me a lot of time (I like to reinstall my PC OS many times). So if I could avoid having to do this it would be better.

Last edited by Arciere (2020-10-07 16:49:13)

Arciere

Offline

#2 2020-10-07 13:00:02

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,910

Re: Which disk encryption method to choose

Finally, in the future, I would like to install Windows on the remaining part of the disk,

Make you sure you do have an unencrypted EFI System Partition or give windows its own ssd/hdd .

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2020-10-07 13:26:51

Arciere
Member
From: Torino, Italy
Registered: 2020-10-07
Posts: 59

Re: Which disk encryption method to choose

Lone_Wolf wrote:

Finally, in the future, I would like to install Windows on the remaining part of the disk,

Make you sure you do have an unencrypted EFI System Partition or give windows its own ssd/hdd .

Thank you for your suggestion!

So I exclude the possibility of encrypting the EFI partition as well.
Among the methods listed in the guide, the ones that I would feel excluded are:

  • LUKS on LVM because it involves too many volumes,

  • LUKS on software RAID because I don't have a RAID system,

  • Plain dm-crypt because I understand that I should keep boot and key file storage in a USB stick,

  • Encrypted boot partition (GRUB) because it would give me the bother of having to configure the fstab file with the UUIDs and having to avoid to enter the password twice,

  • Btrfs subvolumes with swap since I don't have any kind of experience with configuring subvolumes.

Therefore, there would remain:

  • LUKS on a partition,

  • LVM on LUKS.

Am I wrong to exclude any of those above? If not, which of the two remaining would be more suitable for what I would like to do?

Arciere

Offline

#4 2020-10-07 13:59:20

progandy
Member
Registered: 2012-05-17
Posts: 5,190

Re: Which disk encryption method to choose

Do you have experience with LVM? If not, then learning Btrfs isn't any harder I think.

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2020-10-07 16:44:29

Arciere
Member
From: Torino, Italy
Registered: 2020-10-07
Posts: 59

Re: Which disk encryption method to choose

progandy wrote:

Do you have experience with LVM? If not, then learning Btrfs isn't any harder I think.

My experience with LVM is about various distros GUI installations + CLI installation of only one another distro, therefore it is really poor. But I see that almost all Linux distros adopt LVM, so I'm determined to learn how to use it.

Last edited by Arciere (2020-10-07 16:47:06)

Arciere

Offline

#6 2020-10-07 19:07:08

icar
Member
From: Catalunya
Registered: 2020-07-31
Posts: 449

Re: Which disk encryption method to choose

If I were you I'd make it simple. 3 partitions: ESP, root (LUKS), windows. So, create a luks encryption on the root partition.

Offline

#7 2020-10-07 19:57:25

Arciere
Member
From: Torino, Italy
Registered: 2020-10-07
Posts: 59

Re: Which disk encryption method to choose

icar wrote:

If I were you I'd make it simple. 3 partitions: ESP, root (LUKS), windows. So, create a luks encryption on the root partition.

Thank you, it is what I've done, I keep you updated! smile

Arciere

Offline

#8 2020-10-08 08:46:26

Arciere
Member
From: Torino, Italy
Registered: 2020-10-07
Posts: 59

Re: Which disk encryption method to choose

Then, the system does not boot...
I believe, because I've followed the Wiki to the letter, that the problem is how I set up the /etc/default/grub file.
These are the only changes I've made to it:

GRUB_CMDLINE_LINUX_DEFAULT=“loglevel=3 quiet splash rd.luks.name=mysda2UUID=cryptroot root=/dev/mapper/cryptroot”
GRUB_ENABLE_CRYPTODISK=y #Uncommented

Instead this is the only change I've made to the /etc/mkinitcpio.conf file:

HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems fsck)

The encryption I performed is this.
The installation I followed is the step-by-step one from the Wiki.
What could be the problem? After the reboot, the GRUB does not appear either.

Last edited by Arciere (2020-10-08 08:48:41)

Arciere

Offline

#9 2020-10-08 08:58:49

progandy
Member
Registered: 2012-05-17
Posts: 5,190

Re: Which disk encryption method to choose

If grub does not appear, do you have it installed correctly, e.g. the "grub-install" step?

https://wiki.archlinux.org/index.php/GRUB#UEFI_systems

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#10 2020-10-08 09:00:15

kermit63
Member
Registered: 2018-07-04
Posts: 173

Re: Which disk encryption method to choose

Which luksFormat type did you use? luks1 or luks2?

If you did not specify, cryptsetup defaults to luks2, which is still not fully supported by GRUB. That's a major reason why people usually go for a separate /boot partition. The /boot partition is either unencrypted or uses luks1 encryption, while the rest of the system are on luks2.

Offline

#11 2020-10-08 09:01:08

progandy
Member
Registered: 2012-05-17
Posts: 5,190

Re: Which disk encryption method to choose

kermit63 wrote:

Which luksFormat type did you use? luks1 or luks2?

If you did not specify, cryptsetup defaults to luks2, which is still not fully supported by GRUB. That's a major reason why people usually go for a separate /boot partition. The /boot partition is either unencrypted or uses luks1 encryption, while the rest of the system are on luks2.

Or in case of UEFI, just use the EFI partition as the boot partition.

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#12 2020-10-08 09:21:02

Arciere
Member
From: Torino, Italy
Registered: 2020-10-07
Posts: 59

Re: Which disk encryption method to choose

progandy wrote:

If grub does not appear, do you have it installed correctly, e.g. the "grub-install" step?

https://wiki.archlinux.org/index.php/GRUB#UEFI_systems

kermit63 wrote:

Which luksFormat type did you use? luks1 or luks2?

If you did not specify, cryptsetup defaults to luks2, which is still not fully supported by GRUB. That's a major reason why people usually go for a separate /boot partition. The /boot partition is either unencrypted or uses luks1 encryption, while the rest of the system are on luks2.

progandy wrote:

Or in case of UEFI, just use the EFI partition as the boot partition.

Thanks for your advice!
I copy and paste all the steps I have done:

setfont latarcyrheb-sun32

fdisk -l
dd if=/dev/urandom of=/dev/nvme0n1 bs=4096 status=progress

rfkill
systemctl start iwd.service
systemctl enable iwd.service
iwctl
device list
iwctl --passphrase “passphrase” station wlan0 connect “My SSID”
ping archlinux.org

timedatectl set-ntp true

fdisk /dev/nvme0n1
g
n
Enter #”Partition number (1-128, default 1)”
Enter #”First sector (2048-x, default 2048)”
+1G
t
1
n
Enter #”Partition number (2-128, default 2)”
Enter #”First sector (2099200-x, default 2099200)"
+300G
w

cryptsetup -y -v luksFormat --type luks1 /dev/nvme0n1p2
YES
passphrase
passphrase
cryptsetup open /dev/nvme0n1p2 cryptroot
passphrase

mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt
mkfs.fat -F32 /dev/nvme0n1p1
mkdir /mnt/efi
mount /dev/nvme0n1p1 /mnt/efi

pacstrap /mnt base linux linux-firmware linux-lts netctl nano man-db man-pages texinfo
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/Europe/Rome /etc/localtime
hwclock --systohc
nano /etc/locale.gen
     en_GB.UTF-8 UTF-8
     it_IT.UTF-8 UTF-8
locale-gen
nano /etc/locale.conf
     LANG=en_GB.UTF-8
nano /etc/hostname
     MyHostname
nano /etc/hosts
     127.0.0.1	localhost
     ::1	localhost
     127.0.1.1	MyHostname.localdomain	MyHostname
nano /etc/mkinitcpio.conf
     HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems fsck)
mkinitcpio -P

passwd
passphrase
passphrase

pacman -S grub efibootmgr
blkid /dev/nvme0n1p2
nano /etc/default/grub
     GRUB_CMDLINE_LINUX_DEFAULT=“loglevel=3 quiet splash rd.luks.name=nvme0n1p2UUID=cryptroot root=/dev/mapper/cryptroot”
     GRUB_ENABLE_CRYPTODISK=y
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
pacman -S amd-ucode
grub-mkconfig -o /boot/grub/grub.cfg

exit
umount -R /mnt
reboot

These are all the steps I took, not one more, not one less.

Last edited by Arciere (2020-10-08 09:46:14)

Arciere

Offline

Pages: 1

Board footer

Powered by FluxBB