[SOLVED] FULL disk encryption on Slackware - avoid having to type password twice
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
That sounds indeed like an interesting project. But I only have rudimentary programming experience. How to tackle this is beyond me.
The mkinitcpio is basically a set of bash scripts.
And with all respect, I believe that someone using Slackware without speaking Bash is like moving in Germany without knowing the German language. What could go wrong?
I also don't know if something similar could be done with UEFI? Couldn't you install malicious software in the ESP partition as well?
An UEFI capable BIOS is rather powerful and understand things like a file system. It is capable of hosting both malware and bloatware in the BIOS itself, so I would not only worry about the disk contents.
This is not working out for me, for some reason. I created a config file according to the instructions in the link:
Quote:
If you have any luks encrypted filesystems you must create a dracut drop-in config for that. Create the file /etc/dracut.conf.d/encryption.conf with the following content:
Indeed crypto_keyfile.bin shows up in the image and manually decrypting the partition using that file also works, but it doesn't want to auto encrypt and always ends up in that rescue mode, trying to boot the system.
Am I missing something here?
The mkinitcpio is basically a set of bash scripts.
And with all respect, I believe that someone using Slackware without speaking Bash is like moving in Germany without knowing the German language. What could go wrong?
Yes. You're right. I have done a bit of scripting before, but for now I just want a working laptop as I replaced the drive and am directly installing it on hardware now.
I'll try getting mkinitcpio running in a virtual machine later. Mark my words. Indeed it could be a great learning experience.
Last edited by dosensuppe; 04-15-2023 at 12:15 PM.
With mkinitcpio you somehow don't have to use crypttab. I forgot why or I never knew in the first place??
So to make it a bit more coherent.
First edit crypttab to include the root to encrypt, then add kernel options like mentioned before, listing the root drives to be encrypted, create a seperate config file containing this line:
and finally generate the image.
Well, that should be it.
Which one is the superior initramfs gen tool is up to personal preference I guess. I guess Dracut might be a bit more true to the Unix philosophy, being very modular.
If someone knows how mkinicpio manages to do without crypttab, please let me know.
Last edited by dosensuppe; 04-15-2023 at 01:06 PM.
It's all in the scripts. Open up the init file within those images - it's "just some shell script using some variables to run some commands based on your input". In case of an initrd or initramfs it's a shell script that reads files in the root of the image (/) like 'luksdev' and others.
Aha - well, a few questions - apologies if you've checked all of these before:
- Is your swap active? (the 'free' command should yield a line that starts with 'Swap:' - or use 'swapon -s')
- The partition you point to with resume=xxx should be the one that holds your swap - is it the right one?. (i.e. is your swap in lvm? then it needs to point to /dev/myvg/myswap where myvg and myswap being volume group name and swap partition name; if no lvm, it should be something like /dev/sda2 or /dev/nvme0p2 or whatever)
- You can extract the initrd file (zcat initrd | cpio -idmv) (best done in some tempdir) and look at whether or not it knows where to mount which swap partition or drive. (i.e. aside from mkinitrd and whatever else generates an initrd or initramfs image; look at what is actually generated as opposed to 'what the config files say will be generated')
Aha - well, a few questions - apologies if you've checked all of these before:
- Is your swap active? (the 'free' command should yield a line that starts with 'Swap:' - or use 'swapon -s')
- The partition you point to with resume=xxx should be the one that holds your swap - is it the right one?. (i.e. is your swap in lvm? then it needs to point to /dev/myvg/myswap where myvg and myswap being volume group name and swap partition name; if no lvm, it should be something like /dev/sda2 or /dev/nvme0p2 or whatever)
- You can extract the initrd file (zcat initrd | cpio -idmv) (best done in some tempdir) and look at whether or not it knows where to mount which swap partition or drive. (i.e. aside from mkinitrd and whatever else generates an initrd or initramfs image; look at what is actually generated as opposed to 'what the config files say will be generated')
Well, I'm using btrfs, so lvm would be a bit too many layers of abstraction. So I have an encrypted SWAP.
But you mentioning lvm volumes led me on the right track. The resume= paramater has to point to the decrypted partition, not the block device. I made this issue before during my Artix install. Good thing I always take thorough notes.
As the documentation for Dracut is a bit lacking, I'll upload the configs tomorrow. Maybe someone can profit from it and not waste as much time fooling around as me.
cmdline.conf (kernel options - propably some reduntant options that don't need to be specified, but for some reason the luks.uuid definetely NEEDS to be set for the INITRAMFS to find the drive. Why, with grub already having those set, it still needs to be specified, is beyond me.)
kernel_cmdline="
rd.luks.uuid=xxxxx(Blockdevice von ROOT)
rd.luks.uuid=xxxxx(Blockdevice von SWAP)
resume=UUID=xxxxx(Mapper device von entschlüssltem SWAP)
root=UUID=xxxxxx(Mapper device von entschlüssltem ROOT)
rd.luks.allow-discards
rootfstype=btrfs "
Sure, some things are propably redundant. But I'll leave it at that.
Don't know why I had to define the kernel options twice.
Without specifying the block UUIDs of both to be encrypted disks in cmdline.conf it just wouldn't boot.
Usually the grub kernel options should suffice.
Just one question: I have read that dracut automatically includes the microcode inside the initramfs. Will it suffice if I just install the intel microcode slackbuild and dracut will do the rest?
Last edited by dosensuppe; 04-16-2023 at 02:14 AM.
if you're using an encrypted /boot, stop (proceeding with the header conversion) now - very recent versions of grub2 support LUKS2, but they don't support argon2id, and this will render your system unbootable.
Unfortunately having an unencrypted boot also poses a risk to tampering with our system. One has to wager what is more important to ones security.
Let's hope grub2 will support argon2 anytime soon. Fortunately LUKS headers can be easily converted as is the topic of the article. Thanks to Didier Spaier for mentioning that.
Last edited by dosensuppe; 04-20-2023 at 03:33 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
