Set up reasonably secure encryption without sacrificing too much computing power. I had previously configured only a single encrypted partition but the PAM unlocking caused many troubles. Advantage of the full disk encryption is that you have secured everything including swap partition.
This process expects the instalation being executed from a live CD or USB dongle. First step is to set up partitions. Boot partition must not be encrypted.
Prepare partitions
TODO: partitions alignment, EFI
/dev/sda1 500MB ext4 boot
/dev/sda2 cleared
Format partitions
For best speeds choose cipher by running “cryptsetup benchmark”.
mkfs.ext4 /dev/sda1 cryptsetup luksFormat -c aes-xts-plain64 -s 256 -h sha256 /dev/sda2 cryptsetup luksOpen /dev/sda2 cdisk0 pvcreate /dev/mapper/cdisk0 vgcreate MyStorage /dev/mapper/cdisk0 lvcreate -L 32G MyStorage -n swapvol # 2x RAM size lvcreate -l 100%FREE MyStorage -n rootvol mkswap /dev/mapper/MyStorage-swapvol mkfs.ext4 /dev/mapper/MyStorage-rootvol
Install, *do not reboot*
Manually assign partitions in the installation program.
Install, do not reboot. Then:
mount /dev/mapper/MyStorage-rootvol /mnt cp /etc/resolv.conf /mnt/etc mount /dev /mnt/dev -o bind chroot /mnt mount -t proc proc /proc mount -t sysfs sysfs /sys mount /dev/sda1 /boot apt-get install cryptsetup lvm2 vim mc
Edit /etc/crypttab. Add following line:
cdisk0 /dev/sda2 none luks
Run:
update-initramfs -u -k all
Reboot.
SSD, TRIM
/etc/lvm/lvm.conf:
issue_discards = 1/etc/crypttab:
cdisk0 /dev/sda2 none luks,discard
Do not add discard option to /etc/fstab. It will slow down writes. Better practice is to run weekly fstrim via cron.
No Comments
No comments yet.
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.