Skip to main content
Topic: Full disk encryption (including /boot) Luks2+argon2 ( Efi ) (Read 1997 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #30
Oh, you've already decided everything :) Congratulations.

Tell me please, is it possible to build and install Grub with argon2id support for BIOS?

Theoretically, yes. I don’t know how in practice.

I think it's worth looking for the answer in the comments in AUR. Maybe it has already been answered, after which you can ask this question directly to the package maintainer.

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #31
For information, I wanted to leave a screenshot here, when the user boots the system from EFI, the installer reports this (very convenient)

 I also managed to download the new Grub (attached a screenshot)

But I couldn’t go any further because I can’t figure out how to write the UUID correctly :

Code: [Select]
GRUB_CMDLINE_LINUX="cryptdevice=UUID=0123456789/dev/vda2:lvm root=UUID=0123456789/dev/mapper/main-root"

or ?
Code: [Select]
GRUB_CMDLINE_LINUX="cryptdevice=UUID=0123456789   /dev/vda2:lvm root=UUID=0123456789   /dev/mapper/main-root"


I've seen other options


Code: [Select]
GRUB_CMDLINE_LINUX="cryptdevice=UUID=0123456789>:cryptroot root=/dev/mapper/main-root








Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #32
Here's what it roughly looks like:

Code: [Select]
user@host> blkid                                                              ~
/dev/mapper/crypt-root: UUID="3eabad26-a765-414c-bd79-fc3bf66f58ac" BLOCK_SIZE="4096" TYPE="ext4"
/dev/sdb: UUID="115e9912-9109-4849-918f-4d6fd78559d4" TYPE="crypto_LUKS"
/dev/mapper/crypt-home: UUID="e27d6f5a-2bc9-43cf-81a2-bd901624479a" BLOCK_SIZE="4096" TYPE="ext4"
/dev/mapper/luks: UUID="HPamLZ-12fZ-olvN-MGyI-9VDA-LUwz-HFB8ii" TYPE="LVM2_member"
/dev/sda2: UUID="d3412596-7138-4392-b6d9-2d0d3c433900" TYPE="crypto_LUKS" PARTUUID="b4e5ca50-68ab-5c41-a726-c8282f22504c"
/dev/sda1: UUID="7FF8-F409" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="0ee62557-8f14-6d41-8d41-bf0376a84db0"

Code: [Select]
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=d3412596-7138-4392-b6d9-2d0d3c433900:luks:allow-discards root=UUID=3eabad26-a765-414c-bd79-fc3bf66f58ac cryptkey=rootfs:/root/secrets/ssd.bin loglevel=3 quiet net.ifnames=0 ipv6.disable=1"


Where d3412596-7138-4392-b6d9-2d0d3c433900 is /dev/sda2, and 3eabad26-a765-414c-bd79-fc3bf66f58ac is /dev/mapper/crypt-root.

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #33
Thank you very much for the information, I also looked at the wiki https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption and saw that I wrote too much.
At the first stage of installation without a cryptkey, it should look like this

Code: [Select]
GRUB_CMDLINE_LINUX="cryptdevice=UUID=0123456789/dev/vda2:lvm root=UUID=0123456789"

I was confused by this inscription from the link https://forum.artixlinux.org/index.php/topic,4970.msg31961.html#

Code: [Select]
GRUB_CMDLINE_LINUX="cryptdevice=UUID=uuid_for_/dev/vda2:lvm root=UUID=uuid_for_/dev/mapper/main-root"

Later, when the system boots successfully, I will add cryptkey and disable ipv6




Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #34
Okay, let's wait for success.

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #35
I tested the installation, many times I could not boot the system, I think the error is here:

Right

Code: [Select]
GRUB_CMDLINE_LINUX_DEFAULT

Wrong

Code: [Select]
GRUB_CMDLINE_LINUX 
# Edit /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=uuid_for_/dev/vda2:lvm root=UUID=uuid_for_/dev/mapper/main-root"

You also need to simplify the setup with UUID)) there is a simpler option that also worked for me:

Code: [Select]
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:lvm root=/dev/mapper/main-root"


Also during installation you need to add DHCPCD-OPENRC  in order to connect to the Internet after installation

Re: Full disk encryption (including /boot) Luks2+argon2 ( No Libreboot )

Reply #36

Re: Full disk encryption (including /boot) Luks2+argon2 ( Efi )

Reply #37
Hello  Doheka. Thank you for your help !



Re: Full disk encryption (including /boot) Luks2+argon2 ( Efi )

Reply #38
Important amendment to the instructions (for installation on a virtual machine) https://forum.artixlinux.org/index.php/topic,4970.msg31961.html#msg31961

After building Grub that supports argon2id, you need to run these commands so that you can boot into the system correctly

 /dev/vda gets ignored if --efi-directory is used.


Code: [Select]
 # mount /dev/sda1   /boot/efi

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --removable

Re: Full disk encryption (including /boot) Luks2+argon2 ( Efi )

Reply #39
I didn’t run it and everything installed fine, although gnome-boxes uses the same QEMU. By the way, how are things going with Argon2id and PBKDF? Are they working normally?

Re: Full disk encryption (including /boot) Luks2+argon2 ( Efi )

Reply #40
Hello Doheka. As I wrote above and attached a screenshot of the system, everything works well, the system boots.
There is one point when building Grub with argon2id, you need to use SUDO, I couldn’t build Grub with Opendoas.
But after installation, you can remove SUDO and install Opendoas https://packages.artixlinux.org/details/opendoas
But I would also like to install Grub with argon2id support on the BIOS, I probably need to write to the developer and ask...

Re: Full disk encryption (including /boot) Luks2+argon2 ( Efi )

Reply #41
I asked specifically about how Argon2id and PBKDF work...
I couldn’t build Grub with Opendoas.
You can build the package using doas by specifying this line in /etc/paru.conf in the [bin] section (if you are using paru)
Code: [Select]
Sudo = doas
Here are the details

Re: Full disk encryption (including /boot) Luks2+argon2 ( Efi )

Reply #42
I tried it and it didn't work because it was missing  bdf-unifont

Code: [Select]
$ su - user
$ git clone https://aur.archlinux.org/grub-improved-luks2-git.git
$ cd grub-improved-luks2-git
$ makepkg -si
Install the required dependencies

Code: [Select]
-> autogen
-> bdf-unifont
-> help2man
-> python
-> rsync
-> ttf-dejavu

As for alias, the way you wrote it is bad practice))

thanks for your configuration recommendations
Code: [Select]
/etc/paru.conf
i, I'll try that, but I also successfully installed opendoas and then removed all dependencies with sudo and everything worked fine for me.


Re: Full disk encryption (including /boot) Luks2+argon2 ( Efi )

Reply #43
I just tried a fresh install, installed
Code: [Select]
bdf-unifont locally
and then built Grub, everything worked!

Code: [Select]
$ git clone https://aur.archlinux.org/bdf-unifont.git

$ cd bdf-unifont

$ makepkg -si


I needed to install the bdf-unifont public key because there was a build error, but after that the build was successful

Code: [Select]
 gpg --search-keys 95D2E9AB8740D8046387FD151A09227B1F435A33   

write "1"

I'm working on TWO ways to build Grub with argon2id support!