welcome to the world of…

Looks like a small bulb used to indicate something unusual, like a malfunction.

Linux full disk encryption

Filed under: Uncategorized — Tags: , , , , , — admin @ 2014-11-22 08:44

Set up reasonably secure encryption without sacrificing too much computing power. I had previously configured only a single encrypted partition but the PAM unlocking caused many troubles. Advantage of the full disk encryption is that you have secured everything including swap partition. 

This process expects the instalation being executed from a live CD or USB dongle. First step is to set up partitions. Boot partition must not be encrypted.

Prepare partitions

TODO: partitions alignment, EFI

/dev/sda1 500MB ext4 boot
/dev/sda2 cleared

Format partitions

For best speeds choose cipher by running “cryptsetup benchmark”.

mkfs.ext4 /dev/sda1
cryptsetup luksFormat -c aes-xts-plain64 -s 256 -h sha256 /dev/sda2
cryptsetup luksOpen /dev/sda2 cdisk0
pvcreate /dev/mapper/cdisk0
vgcreate MyStorage /dev/mapper/cdisk0
lvcreate -L 32G MyStorage -n swapvol     # 2x RAM size
lvcreate -l 100%FREE MyStorage -n rootvol
mkswap /dev/mapper/MyStorage-swapvol
mkfs.ext4 /dev/mapper/MyStorage-rootvol

Install, *do not reboot*

Manually assign partitions in the installation program.

Install, do not reboot. Then:

mount /dev/mapper/MyStorage-rootvol /mnt
cp /etc/resolv.conf /mnt/etc
mount /dev /mnt/dev -o bind
chroot /mnt
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount /dev/sda1 /boot

apt-get install cryptsetup lvm2 vim mc

Edit /etc/crypttab. Add following line:

cdisk0 /dev/sda2 none luks


update-initramfs -u -k all




issue_discards = 1


cdisk0 /dev/sda2 none luks,discard

Do not add discard option to /etc/fstab. It will slow down writes. Better practice is to run weekly fstrim via cron.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.