brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fe0adabb88aad15070ee538727dfd83708ce189c
oam/knowledge base/encrypted root filesystem.md
Michele Cereda fe0adabb88 chore: aligned docs to the template file for articles
2023-07-09 18:00:36 +02:00

75 lines
2.3 KiB
Markdown
Raw Blame History

# Encrypted root filesystem
## Table of contents <!-- omit in toc -->
1. [Avoiding to type the passphrase twice](#avoiding-to-type-the-passphrase-twice)
1. [Further readings](#further-readings)
## Avoiding to type the passphrase twice
Add a key file to your initrd so that you only type the decryption passphrase in the bootloader.
This should only be done in an encrypted root partition that includes `/boot`, since having the initrd on an unencrypted `/boot` partition would defeat encrypting your root partition.
1. generate a new key
```sh
sudo dd if=/dev/urandom of=/.root.key bs=1024 count=1
```
1. make the key file only readable by `root`:
```sh
sudo chmod 600 /.root.key
sudo chown root:root /.root.key
```
1. register the key file as a valid way to decrypt your root partition:
```sh
sudo cryptsetup luksAddKey /dev/sda1 /.root.key
```
1. edit `/etc/crypttab` adding the key file to the third column of the row that pertains to the root partition by UUID:
```text
cr_sda1 UUID=... /.root.key
```
1. add the key file to the initrd
```sh
# suse
echo -e 'install_items+=" /.root.key "' | sudo tee --append /etc/dracut.conf.d/99-root-key.conf > /dev/null
```
1. make `/boot` accessible to `root` only to prevent non-`root` users to read the initrd and extract the key file:
```sh
sudo chmod 700 /boot
```
to ensure that new permissions are not overwritten at a later timepoint, add the following line to `/etc/permissions.local`:
```text
/boot/ root:root 700
```
If you have other encrypted partitions (e.g. `/home`, `swap`, etc), you can create additional keys to mount them without entering a passphrase.
This works exactly as described above in steps 1-4, except that you don't need to add the key for those partitions to the initrd.
## Further readings
- [Avoiding to type the passphrase twice] on the [openSUSE wiki]
- [Encrypting an entire system] on the [Archlinux wiki]
<!--
References
-->
<!-- Others -->
[archlinux wiki]: https://wiki.archlinux.org
[avoiding to type the passphrase twice]: https://en.opensuse.org/SDB:Encrypted_root_file_system#Avoiding_to_type_the_passphrase_twice
[encrypting an entire system]: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
[opensuse wiki]: https://en.opensuse.org/
Reference in New Issue View Git Blame Copy Permalink