search

classy-giraffe / easy-arch

Script for boostrapping Arch Linux with BTRFS, snapshots and LUKS encryption (UEFI only).
https://classy-giraffe.github.io/easy-arch
Apache License 2.0
237 stars 54 forks source link

Consider switching to LUKS2 or encrypted /boot #4

Closed TommyTran732 closed 3 years ago

TommyTran732 commented 3 years ago

As it stands right now, we seem to be using LUKS1 for no apparent reason. I think we should consider 1 of the following:

  1. If we don't plan to encrypt /boot, it might be a better idea to use LUKS2 than LUKS1.
  2. If we are using LUKS1, then why not making the boot partition a BTRFS subvolume and encrypt it as well? (/boot/efi will be kept seperated) After all, this does have security benefits and help prevent some evil maid attacks.
classy-giraffe commented 3 years ago

The reason for me using LUKS1 is because the following version (LUKS2) seems not to be compatible with GRUB (I recall having read something like that on the Arch Wiki).

TommyTran732 commented 3 years ago

The reason for me using LUKS1 is because the following version (LUKS2) seems not to be compatible with GRUB (I recall having read something like that on the Arch Wiki).

GRUB is only not compatible with with LUKS2 when it /boot is also encrypted. If the kernel and initramfs (like how your system is setup right now) are unecrypted, then it's the kernel doing the decryption, not GRUB.

In fact, GRUB_ENABLE_CRYPTODISK=y is only needed when /boot is encrypted.

For my own setup, I keep LUKS1, but I move /boot to a @boot subvolume. The ESP partition is mounted as /boot/efi, and the only thing it contains is /boot/efi/EFI/GRUB/grubx64.efi.

I opted in for this setup because

  1. It helps better against evil maid attacks. Since nothing but grubx64.efi is unencrypted, there are fewer things the attacker could tamper with to mess with the system. It also helps if the user is only signing the kernel for secureboot and not take care of the initramfs itself.
  2. When GRUB supports LUKS2, we may be able to convert the system using luksConvert.

That being said, the downside of using encrypted /boot is that if you fail to type the password once, you must reboot.

TommyTran732 commented 3 years ago

If you want to keep the current partition layout, it is cool as well, but it would make more sense to use LUKS2 and remove the GRUB_ENABLE_CRYPTODISK=y setting.

classy-giraffe commented 3 years ago

Moved to encrypted /boot.