[SOLVED] FULL disk encryption on Slackware - avoid having to type password twice
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unfortunately having an unencrypted boot also poses a risk to tampering with our system. One has to wager what is more important to ones security.
Let's hope grub2 will support argon2 anytime soon. Fortunately LUKS headers can be easily converted as is the topic of the article. Thanks to Didier Spaier for mentioning that.
Actually the issue arise only if you switch from argon2i to argon2id (this is what means the header conversion). In any case for such a transition I would first decrypt the drive
then re-encrypt it with another algorithm (and in Slint there is no separate /boot partition anyway).
So this is only an issue upon conversion, but not from creating an encrypted volume from scratch?
My understanding is that that whatever you do GRUB is not yet able to support argon2id according to Matthew.
Quote:
Right now I'm using LUKS1
This is also what is used by the Slint installer if encryption is requested. I have considered switching to Argon2 for the incoming new version of the installer, but the drawback is that could require a lot of RAM depending on the settings, beyond the current requirement to install Slint which is at least 2G, if I understand the part 4 Parameter Choice of the RFC 9106.
My understanding is that that whatever you do GRUB is not yet able to support argon2id according to Matthew.This is also what is used by the Slint installer if encryption is requested. I have considered switching to Argon2 for the incoming new version of the installer, but the drawback is that could require a lot of RAM depending on the settings, beyond the current requirement to install Slint which is at least 2G, if I understand the part 4 Parameter Choice of the RFC 9106.
Is there somewhere I could get closer information on this?
I'd really prefer FDE and have already set up my machines this way but would still like to have the newer much more secure standards.
Is there somewhere I could get closer information on this?
I'd really prefer FDE and have already set up my machines this way but would still like to have the newer much more secure standards.
Sorry to resurrect a year old thread, but I went down this same road last week and this post was extremely helpful. I have full disk encryption on my laptop as was getting tired of having to type my password three times (power on, unlock root, unlock swap). After playing around in a VM I first realized I could set my swap up in a different way so that I would not need a password. I then weighed my options for a one password option for power on and root, first I thought about using the TPM, but abandoned that almost immediately. I then decided to use a key embedded in the initramfs. This could be accomplished using dracut, but I found a guide that allowed me to do it in stock slackware without any third party packages. All that is really needed is a small tweak to the initrd init.
This guide assumes you are going to setup your drive in a LVM configuration. If you want to do that you can follow the guide almost exactly, but you don't have to. I tested it in a VM and you can setup your drive in a normal configuration and it will still work, you'll just have to make a few modifications.
I tried dracut and found it pretty interesting, but I admittedly didn't get very far with it. I am thinking about RTFM and playing around with it in a VM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
