Add persistent disk encryption #2219
Conversation
frelon
force-pushed
the
disk-encryption
branch
4 times, most recently
from
432251c
to
f830c4e
Compare
|
Are you considering supporting binding the LUKS volume to the TPM (or FIDO2 device) via systemd-cryptenroll with this? I would recommend either of these options in addition to password and key files. |
Yep, this will be low hanging fruit for a follow up pr! ;) |
frelon
force-pushed
the
disk-encryption
branch
from
f830c4e
to
1c042de
Compare
|
I have been testing this by booting an installer with It should also work to add a install yaml like the following: This config expands to: which should also work, but is a bit cumbersome. |
frelon
force-pushed
the
disk-encryption
branch
3 times, most recently
from
674c1c5
to
dd5dbf0
Compare
| @@ -123,6 +123,7 @@ func NewInstallCmd(root *cobra.Command, addCheckRoot bool) *cobra.Command { | |||
| addSharedInstallUpgradeFlags(c) | |||
| addLocalImageFlag(c) | |||
| addPlatformFlags(c) | |||
| addEncryptionFlags(c) | |||
There was a problem hiding this comment.
I think those would also make sense on reset command.
pkg/features/embedded/grub-default-bootargs/etc/elemental/bootargs.cfg
Outdated
Show resolved
Hide resolved
| @@ -261,6 +264,36 @@ func (i *InstallSpec) Sanitize() error { | |||
| } | |||
| } | |||
|
|
|||
| // Setup disk encryption | |||
| if i.EncryptPersistent { | |||
There was a problem hiding this comment.
Shouldn´t error out if EncryptPersistent is set to true and no secret is provided?
There was a problem hiding this comment.
Shouldn´t error out if EncryptPersistent is set to true and no secret is provided?
I actually didn't test this edge-case.. I would expect an empty keyslot to allow anything to unlock it, but I will give it a try!
Add flags to encrypt persistent partition on install:
* encrypt-persistent: flag to enable luks encryption on persistent
partition.
* enroll-passphrase: string to enroll as passphrase to unlock partition.
* enroll-key-file: key-file to enroll as key to unlock partition.
During install this will invoke cryptsetup to create the LUKS partition
and during mount we use systemd-cryptsetup to attach the partition
before mounting the contained filesystem.
This also introduces some changes in the grub configuration, the
encrypted_volumes variable can be set in grub_oem_env during install to
configure which volumes are actually encrypted.
Using a config-file it is also possible to encrypt any extra-partitions
using the following syntax:
```yaml
install:
extra-partitions:
- Name: extra
size: 100
fs: ext4
label: extra
encryption:
name: cr_extra
key_slots:
- slot: 1
passphrase: "extrapass"
```
Signed-off-by: Fredrik Lönnegren <[email protected]>
frelon
force-pushed
the
disk-encryption
branch
from
dd5dbf0
to
053c08f
Compare
Good point, I will have an extra look at the reset functionality with this in mind! |
Signed-off-by: Fredrik Lönnegren <[email protected]>
Add flags to encrypt persistent partition on install:
During install this will invoke cryptsetup to create the LUKS partition and during mount we use systemd-cryptsetup to attach the partition before mounting the contained filesystem.
This also introduces some changes in the grub configuration, the encrypted_volumes variable can be set in grub_oem_env during install to configure which volumes are actually encrypted.
This change is tested in the new
test-encryptiontarget that runs anelemental installwith a random passphrase and tests that the persistent partition and any extra-partitions can be unlocked when booted from the recovery system.In the future the hope is to extend this to include state and oem partition, but that will need more changes to the bootloader configuration (most notably using the
cryptomountcommand)Part of #1782