Skip to content

HOWTO

Jump to bottom
craig4747 edited this page Sep 16, 2018 · 1 revision

Nested Full disk encryption guide (Arch Linux) Disclamer: This is intended to be used as a reference side by side with the arch linux installation guide on the wiki Recognized benefits: [] Encryption Redundancy [] Multiple keys must be entered to decrypt a single partition [] Decreased chance of data recovery via cold boot attacks # aka 3 is more difficiult to recover than 1 [] Decreased chance of shoulder surfing

  1. Run "fdisk -l" and identify what partiton you want to encrypt, for me it was /dev/sda3 because I'm going to have an nested encrypted LVM setup

  2. encrypt the initial partition: cryptsetup luksFormat -s 512 -h sha512 -c aes-xts-plain64 /dev/sda3

  3. open the encrypted partition cryptsetup open /dev/sda3 crypta

  4. encrypt the unencrypted version of the encrypted partition (nesting) cryptsetup luksFormat -s 512 -h sha512 -c serpent-xts-plain64 /dev/mapper/crypta

  5. open the encrypted parititon /dev/mapper/crypta cryptsetup open /dev/mapper/crypta cryptb

  6. encrypt the unencrypted partiton (cryptb) crypsetup luksFormat -s 512 -h sha512 -c twohfish-xts-plain64 luksFormat /dev/mapper/cryptb

  7. open the encrypted parition /dev/mapper/cryptb cryptsetup open /dev/mapper/cryptb cryptc

  8. now you can do what I did if you want which is to create an lvm inside the nested encryption like so

pvcreate /dev/mapper/cryptc # make it a physical volume

vgcreate VolGroup /dev/mapper/cryptc # create volume group

  1. Create all the logical volumes

lvcreate -L 10G VolGroup -n tmp lvcreate -L 15G VolGroup -n root lvcreate -L 50G VolGroup -n usr lvcreate -L 25G VolGroup -n var lvcreate -L 16G VolGroup -n swap lvcreate -L 25G VolGroup -n home lvcreate -l 100%FREE VolGroup -n data

  1. format the logical volumes with filesystems

mkfs.ext4 /dev/mapper/VolGroup-root mkfs.ext4 /dev/mapper/VolGroup-home etc....

  1. mount the logical volumes, install the base packages, and chroot into the new systems root directory

  2. Create multiple encrypt hooks

cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt2

cp /usr/lib/initcpio/hooks/encrypt /etc/initcpio/hooks/encrypt2

cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt3

cp /usr/lib/initcpio/hooks/encrypt /etc/initcpio/hooks/encrypt3

sed -i "s/cryptdevice/cryptdevice2/" /etc/initcpio/hooks/encrypt2

sed -i "s/cryptkey/cryptkey2/" /etc/initcpio/hooks/encrypt2

  1. edit /etc/mkinitcpio.conf and add "encrypt encrypt2 encrypt3" to the HOOKS=(... Line

  2. Generate the new kernel image with "mkinitcpio -p <kernel package" for me its "mkinitcpio -p linux-hardened" edit "/etc/default/grub" and add the following to the "GRUB_CMDLINE_LINUX="" line so it looks like this:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:crypta cryptdevice2=/dev/mapper/crypta:cryptb cryptdevice3=/dev/mapper/cryptb:cryptc"

  1. Generate the grub configuration file with "grub-mkconfig -o /boot/grub/grub.cfg"

Clone this wiki locally