Hello,
I've been doing some test runs installing Alpine with full disk
encryption in order to put together a stripped-down how-to document
for my own use case.
I mainly followed
https://wiki.alpinelinux.org/wiki/LVM_on_LUKS
for the procedure.
Now, there seem to be a few issues with that page.
# 1. Wiping disks/partitions
The section titled "Preparing the Temporary Installation Environment"
mentions the possibility of wiping the whole disk, using `haveged` as
input, but then doesn't say how to actually wipe the disk. It only
provides instructions on how to set up `haveged`.
Later, there is a section titled "Optional: Overwrite LUKS Partition
with Random Data" that instructs the reader to wipe the LUKS partition
with the following command:
haveged -n 0 | dd of=/dev/sda2
I see several problems with that.
First, it seems to me that wiping only the partition that is going to be
used for the LUKS container – after and because you have already created
partitions – is not a good idea. Just wiping the whole disk before
creating partitions is probably what should be done instead.
Then, when using dd(1), going with the default block size will take
ages to complete. Adding `bs=1M` is generally much faster, in my
experience.
So, I suggest the following:
* Add instructions on how to overwrite the whole disk with random
data to section "Preparing the Temporary Installation Environment"
and add `bs=1M` to the `dd` command's arguments.
* Remove section "Optional: Overwrite LUKS Partition with Random
Data" entirely.
# 2. "Unmounting the Volumes and Partitions"
This section is obviously specific to the case of using GRUB with UEFI.
The version for Syslinux with BIOS would have to look like this, if I'm
not mistaken:
# cd
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot
So, there should be two sub-sections here:
* "Syslinux with BIOS", containing the above command block.
* "Grub with UEFI", containing what's already there.
If there are no objections to all of this, I'd be happy to go
ahead and edit the page accordingly.
And before I forget: That page does not show up in the results when
you search for "full disk encryption" on the wiki. Maybe there's a way
to change that.
--
Michael
Hello,
>First, it seems to me that wiping only the partition that is going to be>used for the LUKS container – after and because you have already created>partitions – is not a good idea. Just wiping the whole disk before>creating partitions is probably what should be done instead.
I agree, that would be better instead if one really needs to clean up previous data.
>Then, when using dd(1), going with the default block size will take>ages to complete. Adding `bs=1M` is generally much faster, in my>experience.
This is entirely dependent on the device you have and a few other factors, so it makes more sense to keep the default.
>So, I suggest the following:>> * Remove section "Optional: Overwrite LUKS Partition with Random> Data" entirely.
It should be replaced with "Overwrite disk with Random Data" before creating the partition table instead.
>This section is obviously specific to the case of using GRUB with UEFI.>>The version for Syslinux with BIOS would have to look like this, if I'm>not mistaken:>> # cd> # umount /mnt/boot> # swapoff /dev/vg0/swap> # umount /mnt> # vgchange -a n> # cryptsetup luksClose lvmcrypt> # reboot>>So, there should be two sub-sections here:>> * "Syslinux with BIOS", containing the above command block.> * "Grub with UEFI", containing what's already there.
This has nothing to do with the bootloader. If syslinux supported UEFI, it would be similar if not the same.
It should instead keep the `umount /mnt/boot/efi` with a comment or a note that says it is UEFI specific.
Feel free to edit the page and thanks for contributing!
(This is a duplicate, i forgot to CC the mailing list.)
--
Alex D.
RedXen System & Infrastructure Administration
https://redxen.eu/
Am Mon, 19 Jul 2021 21:03:25 +0000
schrieb caskd <caskd@redxen.eu>:
> >Then, when using dd(1), going with the default block size will take> >ages to complete. Adding `bs=1M` is generally much faster, in my> >experience. > This is entirely dependent on the device you have and a few other> factors, so it makes more sense to keep the default.
I see. I still think it should be mentioned that choosing a more
adequate block size might speed things up considerably.
> >So, I suggest the following:> >> > * Remove section "Optional: Overwrite LUKS Partition with Random> > Data" entirely. > It should be replaced with "Overwrite disk with Random Data" before> creating the partition table instead.
Okay, but this is already covered in "Preparing the Temporary
Installation Environment". And that is where these instructions belong,
I'd say.
> >This section is obviously specific to the case of using GRUB with> >UEFI.> >> >The version for Syslinux with BIOS would have to look like this, if> >I'm not mistaken:> >> > # cd> > # umount /mnt/boot> > # swapoff /dev/vg0/swap> > # umount /mnt> > # vgchange -a n> > # cryptsetup luksClose lvmcrypt> > # reboot> >> >So, there should be two sub-sections here:> >> > * "Syslinux with BIOS", containing the above command block.> > * "Grub with UEFI", containing what's already there. > This has nothing to do with the bootloader. If syslinux supported> UEFI, it would be similar if not the same. It should instead keep the> `umount /mnt/boot/efi` with a comment or a note that says it is UEFI> specific.
The problem is that the whole tutorial is based on going about things
one of two ways: either BIOS/MBR/Syslinux or UEFI/GPT/GRUB. And lines
2–5 in the code block as it is on the page are specific to what the
tutorial describes for going with UEFI/GPT/GRUB. So, for consistency,
there should be two sub-sections, just like in some of the previous
sections.
--
Michael