Open nyancat18 opened 7 years ago
Each time I did installation:
I was able to do that on any Ubuntu'ish OSes.
@triceratops1 Yes and no. If you do it in advanced mode, you can tell cnchi which partitions you want to encrypt. If you do it in automatic mode, it will encrypt / and /home
@rancherr I'm sure we never tried that... Will check it out asap and get back to you.
This would be really amazing. I would like to use the Antergos installer more often, but this limitation of the installer makes me install Arch manually from the cli with it. Does Cnchi allow me to mount my own partition setup? That would be even better. lol Only /etc/default/grub and /etc/mkinitcpio.conf need to be modified to encrypt /boot, and a crypto_keyfile.bin should be made for the encrypt hook so it doesn't ask for the password again.
Does Cnchi allow me to mount my own partition setup?
Yes, go to advanced partition mode and there you can select which partitions you want to use (as /boot, /, ....)
Only /etc/default/grub and /etc/mkinitcpio.conf need to be modified to encrypt /boot, and a crypto_keyfile.bin should be made for the encrypt hook so it doesn't ask for the password again.
Have you tried to encrypt your /boot in advanced partition mode?
no :(
No, it doesn't work with the encrypted lvm setup I do. I always keep /boot on the root partition in a btrfs subvolume so I can do snapshots, but the installer requires a /boot partition and a separate one doesn't work either. If there were a way to just skip the partition creation in the installer by mounting them somewhere manually, that would be ideal for me. I could finish the setup manually as I already do. But having an encrypted /boot by itself doesn't seem too demanding, development wise.
Add the crypt hook and the optional /crypto_keyfile.bin to the FILES array in mkinitcpio.conf. Add "cryptdevice=UUID=$luks_volume_uuid" and "cryptkey=/crypto_keyfile.bin" to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub
Then make the crypto_keyfile.bin, and add it to the luks volume with dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
'cryptodisk luks' should be added to preload modules in default/grub, but for myself it has worked without it.
I've never looked intensely at the Cnchi code, and I'm not much of a developer at all, but maybe I'll have a look. lol
@karasu have you tried yet? My company requires me to use full encryption and boot device on external USB so it would be really nice to have this option . I am willing to test if needed
@rancherr I'm afraid other matters got my attention... and this was forgotten. Do you need your usb /boot also to be encrypted?
I am planning on trying Antegros (and recommending it to friends who want to use Arch), and full encryption is a must. My setup is almost the same as @eturner. Namely, an EFI partition with GRUB and an encrypted partition formatted btrfs with /boot as a folder in the / subvolume. I don't bother with swap disk, but would use an encrypted swap if provided. I don't use LVM, but could. Support for putting the EFI partition on USB is a plus. I think users who want to boot from USB only need grub on the USB.
I'm fine with a manual setup, if the installer can deal with /boot not being a partition.
I may be mistaken, but I think what eturner left out is that the GRUB package gets confused too and needs:
echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
grub-install --target=x86_64-efi --efi-directory /boot/efi --bootloader=arch --boot-directory=/boot/efi/EFI/arch
grub-mkconfig -o /boot/efi/EFI/arch/grub/grub.cfg
Otherwise, grub itself knows how to add the cryptodisk module and set the paths.
I think that should be supported. I did a test install of Manjaro Linux some time ago, they use https://calamares.io/ as a installer, its a universal Linux installer not specific to any distro.
Given he fact that they say:
Calamares does not aim to be the ultimate “standard” installer of the Linux desktop. Many distributions already have more mature system installer solutions, but some don’t, and that’s where Calamares can be of use.
I was surprised to see that it supports a very modern way of full disk encryption where boot is also encrypted I think. I am used to a unencrypted boot. Ubuntu installer does it this way for example.
You may just want to use Manjaro for now which is basically Arch without the rolling release model for the core stack if I got that right. There may also be some code in Calamares for Cnchi to copy.
Does Cnchi supports full disk encryption?..
FDE: Encrypt system (/), user (/home/*) (swap) and /boot + encrypted grub