Skip to main content
Topic: Full disk encryption (including /boot) Luks2+argon2 ( Efi ) (Read 1826 times) previous topic - next topic
0 Members and 2 Guests are viewing this topic.

Full disk encryption (including /boot) Luks2+argon2 ( Efi )

Hi all . Please tell me how to install a system with full disk encryption (including /boot) Luks2+argon2id?

If we are talking about Libreboot, then this is understandable since in the flash chip itself, after installing Libreboot, there is a modified Grub that can unlock Luks2. This is reported here https://libreboot.org/news/argon2.html

I would like to understand how I can install this Grub https://aur.archlinux.org/cgit/aur.git/tree/?h=grub-improved-luks2-git&id=1c7932d90f1f62d0fd5485c5eb8ad79fa4c2f50d  during the system installation, or maybe I need to install an encrypted system using Luks1 and then convert?

I would be grateful for your help.


Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #2
Hello . Thanks for the link .

This link is not exactly what I'm looking for. I'll try to explain again.

After I booted the system from USB and partitioned the disk, I encrypt the volume with the following command:

Code: [Select]
# cryptsetup -v  --cipher aes-xts-plain64 --hash sha512 --iter-time 10000 --key-size 512
                                --use-urandom --verify-passphrase luksFormat --type luks1 /dev/sda1


I chose the example with Luks1 because the option with Luks2 does not work for the BOOT partition, and this option also does not work.

Code: [Select]
# cryptsetup  -v  --cipher aes-xts-plain64  --hash sha512 --iter-time 10000  --key-size 512  --pbkdf argon2id  --use-urandom --verify-passphrase luksFormat  --type luks2 /dev/sda1


I looked at the repository there Grub 2:2.12-2 https://packages.artixlinux.org/details/grub this means this grub does not support Argon2id and PBKDF

I need to encrypt a Grub volume with this one which supports Argon2id and PBKDF => https://aur.archlinux.org/cgit/aur.git/tree/?h=grub-improved-luks2-git&id=1c7932d90f1f62d0fd5485c5eb8ad79fa4c2f50d

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #3
This will only work correctly on a system with UEFI. That is, you need TWO partitions, where the first is the ESP partition, where the bootloader file (grubx64.efi) will be located. There is no need to make boot a separate partition...


If you are sure that grub-improved-luks2-git from this link supports Argon2id and PBKDF, just build and install it from there!

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #4
Thank you for your answer. I'm currently testing on a virtual machine before installing on a physical one.

Are you writing that you just assemble it and install it from there? You can clarify what you mean, please write the commands during installation and at what specific moment to do this. I think you recommend it, but I haven’t tried it myself))

As for two or one section, I don’t think it matters, it’s the user’s choice at his discretion

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #5
I installed via paru. I did not check the operation of Argon2id and PBKDF due to lack of time...

If you provided a link to a specific commit, you may need to build the bootloader with that specific commit. I can’t give you any advice on commands right now.

You can build, install and configure the bootloader at almost any stage of the installation.

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #6
Yes, you are right, I also wanted to do this, that is, build Grub that supports argon2id, but I can’t understand at what stage this can be done, it will work and how to do it.

For example, I installed the system, then I created a user but did not install Grub from the repository, at this stage I need to do these steps?

Code: [Select]
$ su - user
$ git clone https://aur.archlinux.org/grub-improved-luks2-git.git
$ cd grub-improved-luks2-git
$ makepkg -si
Install the required dependencies

$ sudo nano /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda1:lvm"

GRUB_ENABLE_CRYPTODISK=y

$ sudo  grub-mkconfig -o /boot/grub/grub.cfg

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #7
For example, I installed the system, then I created a user but did not install Grub from the repository, at this stage I need to do these steps?
Yes, do it at this stage.

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #8
Thank you very much for helping me!
Please tell me, after creating a user
Code: [Select]
useradd -m -G wheel user
passwd user
and the
Code: [Select]
artix-chroot /mnt
  command, your Internet works, can you, for example, update the system?
I didn't succeed yesterday...

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #9
If you install the system in one stage FROM and TO, then yes, no problem. However, if you shut down the virtual machine or computer on which you installed the system, and then chroot into that system from the live system, then you simply need to configure the network again and continue.

That is, you need to boot from iso artix, set up a network and do chroot.

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #10
I checked again, it was my mistake, after the command
Code: [Select]
artix-chroot /mnt
everything works and I can download and build Grub.
I didn't need to set up an internet connection again everything worked by default

But I faced another problem, I can't install after building Grub since I created one partition, what command do I need to install Grub?

I tried these commands

Code: [Select]
grub-install  /dev/sda 

grub-install --target=i386-pc --boot-directory=/boot --bootloader-id=GRUB --recheck /dev/sda


But I got an error:

Code: [Select]
install: error: /usr/lib/grub/i386-pc/modinfo.sh doesn't exist. Please specify --target or --directory


I'm currently testing the installation on a virtual machine



Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #11
All the necessary commands for obtaining a system with FDE are indicated in the note, the link to which I gave at the very beginning. Please read carefully.

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #12
Hello Doheka  . Please tell me if I understand correctly that the ESP (EFI System Partition)  partition is formatted in Fat 32 ?
Code: [Select]
/dev/vda1	ESP     100M   #Don't make it smaller

 This information is missing from the instructions in the link you provided.

Code: [Select]
# mkfs.ext4 /dev/mapper/main-root
# mkfs.ext4 /dev/mapper/main-home

and 

Code: [Select]
# mkfs.fat  -F32  /dev/vda1 

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #13
Yes, this partition needs to be formatted as FAT32.
Code: [Select]
mkfs.vfat -F32 /dev/vda1

This note uses openrc, so if you use a different initialization your drive name will be different. See information about installed disks:
Code: [Select]
fdisk -l

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #14
Hello Doheka . Please tell me, did you install the system yourself using this link? I tried installing it on a virtual machine several times and it doesn't work.