[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook
From: |
Giovanni Biscuolo |
Subject: |
[bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook |
Date: |
Wed, 21 Jul 2021 14:16:13 +0200 |
Hi Joshua
Joshua Branson <jbranso@dismail.de> writes:
[...]
>> Why using two BTRFS volumes on top of LVM and not directly using BTRFS
>> (with subvolumes if you want) on top of /dev/mapper/partname?
>
> This is probably a good idea...however does the grub payload support
> this?
Do you mean: does grub support booting from encrypted BTRFS? The answer
is yes.
WARNING: I've (still) not tried myself to boot Guix System using an
encrypted BTRFS (sub)volume but I'm pretty confident that Guix is
configuring grub with the needed modules (luks and btrfs)
[...]
>> I'm still using LVM on some "legacy" systems but for new installations
>> I'd strogly suggest starting using BTRFS on top of "physical"
>> partitions.
>
> does btrfs volume manage allow use to use ext4, jfs, or xfs
> filesystems?
No: BTRFS is a volume manager and a filesystem "all in one", you cannot
create a BRTFS subvolume and format it with another filesystem
> Or does on LVM do that?
LVM is "just" a volume manager with no idea about the overlaying
filesystem
[...]
>> I know that since Linux 2.6 swapfile performance is not a big issue if
>> the file is unfragmented (and it'll be for sure on newly partitioned
>> filesystems) but AFAIU swap files are still a little bit problematic on
>> BTRFS
>> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:
>
> Ok...maybe we could use ext4 for the swap file? Is there a better
> filesystem? Again does btrfs volume management allow the swap file to
> be ext4?
No, al explained above
> Or do we have to use LVM?
If we use a dedicated partition for swap there is no need to set up an
LVM volume (phisical, VG and then logical): we can just create a
dedicate partition during partitioning, encrypt it with LUKS and
"mkswap" it (e.g. mkswap /dev/mapper/<encrypted_swap>)
[...]
>> Final note: AFAIU BTRFS supports swap files ONLY in single device
>> settings (that is: NO swap file support on multi device settings), so
>> IMHO it's better to use a dedicated partition for the swap space so
>> users are free to switch to a multi-device setting if they wish (and
>> can).
>
> Ok, I will create a dedicated partition and format it with ext4
> and the swap program
There's no need to format (mkfs.ext4) the partition with ext4, just
"mkswap" it :-)
> ...but I will probably need help figuring out how to encrypt
> the swap partition...There are guides online that I can look at...
You have to encrypt it like any other partition, e.g.:
--8<---------------cut here---------------start------------->8---
Encrypt swap the partition. Follow the prompts.
@example
cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
--verify-passphrase --use-random --key-size 512 --iter-time 500 \
luksFormat /dev/<swap_partition>
@end example
Obtain and note down the UUID of the LUKS partition.
@example
cryptsetup --verbose luksUUID /dev/<swap_partition>
@end example
Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
and @code{crypt_swap01} is any desired name for the decrypted swap
partition.
@example
cryptsetup --verbose luksOpen UUID=luks-uuid crypt_swap01
@end example
Format the encrypted swap
@example
mkswap /dev/mapper/crypt_swap01
@end example
--8<---------------cut here---------------end--------------->8---
Then, in our (operating-system) declaration, we have to use something
like this:
--8<---------------cut here---------------start------------->8---
(mapped-devices
(list
(mapped-device
(source (uuid "LUKS-UUID"))
(target "partname")
(type luks-device-mapping))
;; This is our new encrypted swap partition
(mapped-device
(source
(uuid "SWAP-LUKS-UUID"))
(target "crypt_swap01")
(type luks-device-mapping))
(mapped-device
(source "vgname")
(targets
(list
"vgname-lvnameroot"
"vgname-lvnamehome"))
(type lvm-device-mapping))))
(swap-devices
(list
"/dev/mapper/crypt_swap01"))
--8<---------------cut here---------------end--------------->8---
WARNING: please consider I've not tested this code.
>> The problem with a fully encrypted dedicated swap partition is that
>> it'll require a third passphrase prompt on boot (the one to unlock the
>> swap partition), but that's a minor annoyance IMHO.
>
> Oh no! I hadn't thought about that! grrr!
Actually what I said it's NOT true... or better: we could avoid the
(third) password prompt for the swap partition if we _add_ a keyfile to
the LUKS encrypted swap partition _and_ we have a mechanism to
"luksOpen" that mapped volume using that keyfile.
I'm not aware of such a mechanism on Guix Systems, in Debian (et al)
this is done with /etc/crypttab, AFAIU the luks-device-mapping lacks the
option to specify a keyfile.
So, as far as this cookbook section is concerned, unfortunately when
using a dedicated encrypted swap partition an additional passphrase
prompt will be presented to the user at each boot.
> I wonder if bcachefs is better than btrfs...well I guess it's not
> merged yet.
No, still not. AFAIU also still not available in Guix.
> What about instead of using a swap file we use zram?
Never used zram and I don't know if it's supported (I mean configured by
(operating-system)) on Guix System
[...]
Sorry I've more issues than answers on this topics, nevertheless I hope
it somway helps.
Thanks! Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
signature.asc
Description: PGP signature