Skip to main content
Topic: Help with FDE and questions for a better understanding. (Read 57 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Help with FDE and questions for a better understanding.

So, i realized that every guide online fully encrypts their drive a bit differently.
https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption
https://archive.li/fuvky

Gentoo's guide has following partition layout:
Code: [Select]
/dev/sda
 ├── /dev/sda1      [EFI]   /efi      1 GB         fat32       Bootloader
 └── /dev/sda2      [BOOTX] /boot     1 GB         ext4        Bootloader support files, kernel and initramfs
/dev/nvme0n1
 └── /dev/nvme0n1p1 [ROOT]  (root)    ->END        luks        Encrypted root device, mapped to the name 'root'
      └──  /dev/mapper/root /         ->END        btrfs       root filesystem
                            /home     subvolume                Subvolume created for the home directory
                            /var      subvolume                Subvolume created for the var directory
                            /etc      subvolume                Subvolume created for the etc directory

Efi and boot directory on a seperate drive, unencrypted. No LVM.

Arch lists a bunch off ways, LVM on LUKS for example seems to be leaving /boot unencrypted with the kernel and initramfs.

Code: [Select]
+-----------------------------------------------------------------------+ +----------------+
| Logical volume 1      | Logical volume 2      | Logical volume 3      | | Boot partition |
|                       |                       |                       | |                |
| [SWAP]                | /                     | /home                 | | /boot          |
|                       |                       |                       | |                |
| /dev/MyVolGroup/swap  | /dev/MyVolGroup/root  | /dev/MyVolGroup/home  | |                |
|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _| | (may be on     |
|                                                                       | | other device)  |
|                         LUKS encrypted partition                      | |                |
|                           /dev/sda1                                   | | /dev/sdb1      |
+-----------------------------------------------------------------------+ +----------------+

or The encrypted boot partition example by the archwiki
Code: [Select]
+---------------------+----------------------+----------------------+----------------------+----------------------+
| BIOS boot partition | EFI system partition | Logical volume 1     | Logical volume 2     | Logical volume 3     |
|                     |                      |                      |                      |                      |
|                     | /efi                 | /                    | [SWAP]               | /home                |
|                     |                      |                      |                      |                      |
|                     |                      | /dev/MyVolGroup/root | /dev/MyVolGroup/swap | /dev/MyVolGroup/home |
| /dev/sda1           | /dev/sda2            |----------------------+----------------------+----------------------+
| unencrypted         | unencrypted          | /dev/sda3 encrypted using LVM on LUKS                              |
+---------------------+----------------------+--------------------------------------------------------------------+
which seems to be the same as the one by https://archive.li/fuvky (cant insert the picture, in this example the efi partion is mounted at /boot/efi thus /boot is encrypted with the kernel and initramfs but the bootloader grub is unencrypted as i understand at least, because the partition is mounted at /boot/efi)

Now, the Artix guide confused me.
Code: [Select]
/dev/sdX - physical disk with MBR partition table
 /dev/sdX1 - encrypted with LUKS (Linux Unified Key Setup) and partitioned into a LVM (Logical Volume Manager) container
 |---> Logical volume 1 - /dev/mapper/lvm-volBoot - /boot encrypted partition of 1 GB size
 |---> Logical volume 2 - /dev/mapper/lvm-volSwap - swap partition, the size of which is >= size of your RAM (i.e. 16 GB)
 |---> Logical volume 3 - /dev/mapper/lvm-volRoot - / root partition, which gets 100% of remaining free space

MBR, the reason there is no /efi directory, but how the hell is it booting if /boot is encrypted with the grub included?

from my current point the best FDE for UEFI would be https://archive.li/fuvky gpg encrypting the keys as described here and password protecting grub?

Then again, luks2 wont be possible because of the problems when using Grub2 with it right?
also found this https://wiki.archlinux.org/title/GRUB#LUKS2 not sure if its a good idea to use it