I was luck enough to be bitten by this issue ( https://bugzilla.redhat.com/show_bug.cgi?id=1212907 ) when attempting to do a clean install of F22. I copied all of my data off and then tried manually setting things up as separate partitions (instead of in an LVM) but it kept telling me that /boot couldn't be on a LUKS partition. The config I had was /home was encrypted and / was encrypted but then the biosboot partition was not encrypted, and all 3 were standard partitions. Is this something that's just not supported? Or was I doing something wrong? Thanks, Dave
Linux for many years as supported encrypting most partitions on your system, with the exception of /boot./boot contains the basic/initial BOOT configuration of your system... that means, by definition, it must be discernable---and thus cannot be encrypted. Without an un-encrypted /boot partition, there isn't sufficient intelligence for the physical computer to get booted up. From: Dave Johansen davejohansen@gmail.com To: Community support for Fedora users users@lists.fedoraproject.org Sent: Friday, July 31, 2015 11:28 AM Subject: /boot and encrypted partitions?
I was luck enough to be bitten by this issue ( https://bugzilla.redhat.com/show_bug.cgi?id=1212907 ) when attempting to do a clean install of F22. I copied all of my data off and then tried manually setting things up as separate partitions (instead of in an LVM) but it kept telling me that /boot couldn't be on a LUKS partition. The config I had was /home was encrypted and / was encrypted but then the biosboot partition was not encrypted, and all 3 were standard partitions. Is this something that's just not supported? Or was I doing something wrong? Thanks, Dave
Linux for many years as supported encrypting most partitions on your system, with the exception of /boot./boot contains the basic/initial BOOT configuration of your system... that means, by definition, it must be discernable---and thus cannot be encrypted. Without an un-encrypted /boot partition, there isn't sufficient intelligence for the physical computer to get booted up. From: Dave Johansen davejohansen@gmail.com To: Community support for Fedora users users@lists.fedoraproject.org Sent: Friday, July 31, 2015 11:28 AM Subject: /boot and encrypted partitions?
I was luck enough to be bitten by this issue ( https://bugzilla.redhat.com/show_bug.cgi?id=1212907 ) when attempting to do a clean install of F22. I copied all of my data off and then tried manually setting things up as separate partitions (instead of in an LVM) but it kept telling me that /boot couldn't be on a LUKS partition. The config I had was /home was encrypted and / was encrypted but then the biosboot partition was not encrypted, and all 3 were standard partitions. Is this something that's just not supported? Or was I doing something wrong? Thanks, Dave
On 07/31/2015 08:28 AM, Dave Johansen wrote:
I was luck enough to be bitten by this issue ( https://bugzilla.redhat.com/show_bug.cgi?id=1212907 ) when attempting to do a clean install of F22.
That bug looks like it's triggered only when the LVs are encrypted, which is non-standard and not at all optimal. The default and optimal configuration is to encrypt the disk partition, and to use that LUKS container as a PV.
I copied all of my data off and then tried manually setting things up as separate partitions (instead of in an LVM) but it kept telling me that /boot couldn't be on a LUKS partition.
That's correct, it cannot. UEFI and BIOS both need an un-encrypted /boot to read the kernel and initrd. If those are in an encrypted container, the boot loader is incapable of reading the kernel and initrd into memory.
The config I had was /home was encrypted and / was encrypted but then the biosboot partition was not encrypted, and all 3 were standard partitions. Is this something that's just not supported? Or was I doing something wrong?
It sounds like you have an UEFI system, and your /boot/EFI was not encrypted, but /boot was on the / filesystem which *was* encrypted. That would be an unsupported configuration. /boot and /boot/EFI must both be on non-encrypted filesystems.
The default layout for UEFI systems is one partition (with fat16) for /boot/EFI, a second partition (with ext4) for /boot, and a third partition (optionally encrypted) as a PV. / and swap, and any other filesystems, are LVs within that VG. They are encrypted because they are inside the encrypted third partition. They don't need to be encrypted again.
On Fri, Jul 31, 2015 at 11:18 AM, Gordon Messmer gordon.messmer@gmail.com wrote:
On 07/31/2015 08:28 AM, Dave Johansen wrote:
I was luck enough to be bitten by this issue ( https://bugzilla.redhat.com/show_bug.cgi?id=1212907 ) when attempting to do a clean install of F22.
That bug looks like it's triggered only when the LVs are encrypted, which is non-standard and not at all optimal. The default and optimal configuration is to encrypt the disk partition, and to use that LUKS container as a PV.
I copied all of my data off and then tried manually setting things up as separate partitions (instead of in an LVM) but it kept telling me that /boot couldn't be on a LUKS partition.
That's correct, it cannot. UEFI and BIOS both need an un-encrypted /boot to read the kernel and initrd. If those are in an encrypted container, the boot loader is incapable of reading the kernel and initrd into memory.
/boot can be on an encrypted partition. I've been looking at this lately and decided to try to do it after seeing this thread today. Anaconda won't help you do it though, so you need to install initially with it unencrypted but you can encrypt it post-install. Now I have an F22 box with a single disk with all partitions encrypted. Fedora seems perfectly happy with this. I still have a concern that there might be a case where an update needs to mount or remount /boot and won't be able to, but one could store the password for /boot in a file and point crypttab to it I believe to overcome that if it is necessary.
John
On 07/31/2015 12:02 PM, inode0 wrote:
/boot can be on an encrypted partition. I've been looking at this lately and decided to try to do it after seeing this thread today. Anaconda won't help you do it though, so you need to install initially with it unencrypted but you can encrypt it post-install. Now I have an F22 box with a single disk with all partitions encrypted.
Uh... have you rebooted yet? What does "lsblk" output?
On Fri, Jul 31, 2015 at 3:37 PM, Gordon Messmer gordon.messmer@gmail.com wrote:
On 07/31/2015 12:02 PM, inode0 wrote:
/boot can be on an encrypted partition. I've been looking at this lately and decided to try to do it after seeing this thread today. Anaconda won't help you do it though, so you need to install initially with it unencrypted but you can encrypt it post-install. Now I have an F22 box with a single disk with all partitions encrypted.
Uh... have you rebooted yet? What does "lsblk" output?
A skeptic!
[root@localhost ~]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 16G 0 disk ├─sda1 8:1 0 500M 0 part │ └─fedora-boot 253:3 0 498M 0 crypt /boot └─sda2 8:2 0 15.5G 0 part └─luks-e7300273-cada-4e28-9829-7302ec188c29 253:0 0 15.5G 0 crypt ├─fedora-swap 253:1 0 1.6G 0 lvm [SWAP] └─fedora-root 253:2 0 13.9G 0 lvm / sr0 11:0 1 876M 0 rom
grub2 supports LUKS. You'll need to add GRUB_ENABLE_CRYPTODISK=y to /etc/sysconfig/grub, run grub2-mkconfig and grub2-install, and make any changes you desire to fstab and crypttab after encrypting /boot.
John
On Fri, Jul 31, 2015 at 4:21 PM, Gordon Messmer gordon.messmer@gmail.com wrote:
On 07/31/2015 02:00 PM, inode0 wrote:
grub2 supports LUKS. You'll need to add GRUB_ENABLE_CRYPTODISK=y to /etc/sysconfig/grub
Interesting. Thanks for the tip! :)
For anyone adventurous enough to try I will mention that if something goes wrong and grub doesn't boot you can still boot the from other media in rescue mode and that will prompt for the encryption keys and mount everything so you can chroot in and go back to work fixing things. Spoken from experience earlier today.
And if you think about it this is obvious but will probably annoy some people. Since grub asks for your password to decrypt /boot and then passes control to a kernel extracted from there you will get asked again for passwords by the kernel for whatever it needs access to - so depending on how you set up the keys you'll get asked for at least one additional password during boot.
John
Am 31.07.2015 um 23:21 schrieb Gordon Messmer:
On 07/31/2015 02:00 PM, inode0 wrote:
grub2 supports LUKS. You'll need to add GRUB_ENABLE_CRYPTODISK=y to /etc/sysconfig/grub
Interesting. Thanks for the tip! :)
The following Link might be of interest for you: http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/
DK
On Fri, Jul 31, 2015 at 9:28 AM, Dave Johansen davejohansen@gmail.com wrote:
I was luck enough to be bitten by this issue ( https://bugzilla.redhat.com/show_bug.cgi?id=1212907 ) when attempting to do a clean install of F22. I copied all of my data off and then tried manually setting things up as separate partitions (instead of in an LVM) but it kept telling me that /boot couldn't be on a LUKS partition. The config I had was /home was encrypted and / was encrypted but then the biosboot partition was not encrypted, and all 3 were standard partitions. Is this something that's just not supported? Or was I doing something wrong?
Encrypted /boot isn't supported by Fedora's installer. GRUB 2 has supported this for a while, and it's also possible to setup a keyfile so all you have to do is give a password once to GRUB and then you don't get a plymouth passphrase entry UI. The encrypt the PV vs encrypt the LV are both supported by the installer, but I guess there's some bug with the latter variety (I didn't completely follow the bug). The former is done by choosing encryption at the time you choose the drives to install to, and the later is done in custom/manual partitioning by clicking on a mount point, and then modifying the volume on the right side UI, an option in there is to encrypt.
You might have better luck deleting the LV you don't want anymore, making a new mount point (and hence a new LV), and encrypting it - rather than reusing existing.
On Fri, Jul 31, 2015 at 8:16 PM, Chris Murphy lists@colorremedies.com wrote:
Encrypted /boot isn't supported by Fedora's installer. GRUB 2 has supported this for a while, and it's also possible to setup a keyfile so all you have to do is give a password once to GRUB and then you don't get a plymouth passphrase entry UI.
Where can you put the keyfile so the kernel can find it and how do you tell the kernel to look there for it? I doubt I'd want to do this but I'm curious what mechanism is available to do it if you can give me a hint.
John
I did this a couple of years ago and forget if I did it on Fedora or Mint or openSUSE.
This guide is for Arch, and contains a link at the top for Mint. So it should be fairly straightforward to adapt for Fedora.
http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
Chris Murphy
This might contain some hints about Fedora specific stuff, but I haven't read it. https://fedoraproject.org/wiki/Disk_Encryption_User_Guide
-
Chris Murphy -
Daniel Krebs -
Dave Johansen -
Gordon Messmer -
inode0 -
Joe Wulf