:: Re: [DNG] Complete system HDD encry…
Top Page
Delete this message
Reply to this message
Author: g4sra
To: dng
Subject: Re: [DNG] Complete system HDD encryption w/o LLVM.
On 29/09/2020 15:27, Mason Loring Bliss wrote:
> On Tue, Sep 29, 2020 at 08:58:42PM +0700, Андрей via Dng wrote:
>> Question is, Is it possible to to achieve same goal without LLVM --
>> i.e. to partition system HDD with fdisk, and then still have full
>> encryption?
> Yes, or at least, mostly. There needs to be unencrypted data that contains
> the decryption code. GRUB itself can handle LUKS decryption, but that
> would involve a manual installation.
> There are a number of ways to encrypt a system, in any event, and you can
> certainly use the "manual" partitioning in the Debian installer to set up a
> system that's largely encrypted, without LVM, but remember to supply an un-
> encrypted /boot, as unless something's changed very recently, Debian (and
> Devuan by extension) doesn't know to configure GRUB to unlock an encrypted
> /boot.
> I found this that talks about encrypted /boot (or /boot on encrypted root)
> but it would require manual installation, and I'm not sure how easy it'd be
> to adapt Debian's GRUB scaffolding to accomodate it. Might be easy, might
> be nearly impossible. But:
>     https://wiki.archlinux.org/index.php/Grub#Encrypted_/boot

Do it in stages:

Stage 1
Devuan install CD:
partition 1 unencrypted /boot
partition 2 Luks encrypted everything else

Stage 2
Copy /boot over onto /
* rebuild the initramfs in the NEW /boot on / *
^^^ you will need to hack the initramfs-tools scripts or they will exclude the Luks key ^^^

Stage 3
Rip apart the new initramfs and confirm correctly built, repeat Stage 2 if not.

Stage 4 - point of no return'ish
Re-configure and re-install grub to load the kernel from partition 2 /boot

Stage 5 - ok i lied, it's Linux and anything is recoverable almost
Boot into recovery from the Devuan Install CD
Re-install grub to boot the first partition kernel, the original /boot.
Have a cup of coffee and work out what you did wrong and try Stage 2 on again :)

I kept two differing grub configurations making life easier by symlinking, unencrypted in partition 1 /boot, encrypted in partition 2 /boot
When you are satisfied, wipe partition 1.