[Deleted] #712
[Deleted] #712
Conversation
* Changed example device to /dev/vda and added note about /dev/vda being the example device in the Warning. * Changed legacy BIOS Partitioning section from MBR system to BIOS/MBR system, Added using dos label type in cfdisk. * Changed Encrypted volume configuration to include why LUKS1 is recommended instead of LUKS2 (GRUB lacks support for Argon2i). * Added Warning about recovering the password/data if the password for the encrypted partition is lost. * Changed guide to default to UEFI systems with notes about legacy BIOS systems when needed. * Noted that voidvm is a example name. * Changed cryptsetup commands from luksOpen and luksClose to open and close. * Made LVM a optional step, With notes about differences for LVM configurations when needed. * Removed creation of a "home" logical volume. * Removed swap information - Swap has many ways to be setup (file or partition, encrypted or unencrypted, with or without suspend-to-disk support, etc) and may be better suited as a separate page in void-docs. * Added a note about the logical volume name chosen using --name, This name is used when mounting. * Removed output from some commands. * Changed example filesystem to Btrfs. * Moved creation of the EFI partition (for UEFI system) below root filesystem creation. * Removed creation of /mnt/home and mounting of /dev/voidvm/home, The creation of a home logical volume was removed. * Separated command for mounting the root partition. * Changed EFI partition mount point to /efi, This change makes /boot encrypted by default, Leaving only /efi unencrypted (as of writing a unencrypted EFI partition is required by UEFI). * Changed base install to UEFI, With a note for switching grub-x86_64-efi to grub on legacy BIOS systems, LVM users are also noted to install the lvm2 package. * Added command to copy a DNS configuration from the live system to allow a internet connection in the chroot. * Removed changing permissions after chroot, This seemed uneeded in my testing. * Changed example hostname from voidvm to AHOSTNAME to make it more apparent that the user should choose their own hostname. * Added a section in Filesystem configuration about getting the required UUIDs, For every step that requires a UUID a blkid command is included to get the UUID. * Changed /etc/fstab and /etc/crypttab to use UUID= instead of /dev/voidvm/root or /dev/sda1. * Changed GRUB_ENABLE_CRYPTODISK=y to echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub. * Noted that rd.lvm.vg=voidvm for /etc/default/grub is for LVM configurations. * Changed grub-install commands to be separate for legacy BIOS and UEFI, The legacy BIOS grub-install command now has --target=i386-pc. * Changed cryptsetup close to include steps for LVM configurations. * Wording and other General changes (also might have missed a few changes).
There was a problem hiding this comment.
Some of these changes are just change for the sake of change. Avoid changing personal preferences in the original document unless there is a technical reason; otherwise we just thrash between whatever preferences suit the person currently making a minor change.
| @@ -1,132 +1,131 @@ | |||
| # Full Disk Encryption | |||
|
|
|||
| **Warning**: Your drive's block device and other information may be different, | |||
| so make sure it is correct. | |||
| **Warning**: This guide uses `/dev/vda` as the example device name, Your drive's block device and other information may be different, so make sure it is correct. | |||
There was a problem hiding this comment.
Drop the sda to vda change everywhere.
- It's a personal preference that doesn't need to be reconsidered with every update.
- Most people deploying full-disk encryption are probably doing so on real hardware, so
sdais more likely thenvdato be relevant anyway.
There was a problem hiding this comment.
We aren't here to save people from themselves when following a destructive guide that describes optional and advanced configuration. The example commands should be generally meaningful , not have bogus placeholders that require replacement.
| For a BIOS/MBR system, Create a single physical partition on the disk using | ||
| [cfdisk](https://man.voidlinux.org/cfdisk) with a `dos` label type, Mark it as bootable. | ||
| Now the partition layout should look similar to the following. |
There was a problem hiding this comment.
| For a BIOS/MBR system, Create a single physical partition on the disk using | |
| [cfdisk](https://man.voidlinux.org/cfdisk) with a `dos` label type, Mark it as bootable. | |
| Now the partition layout should look similar to the following. | |
| For a BIOS system, create a single physical partition on the disk using | |
| [cfdisk](https://man.voidlinux.org/cfdisk) with a `dos` label type. Make sure to mark the partition bootable. | |
| The layout should look like the following. |
Again, "like" to "similar to" is a preference change that we don't need to make.
There was a problem hiding this comment.
Yes, that's the point of a review. The point is to avoid making stylistic changes to an existing guide when there is no functional purpose for them.
BIOS/MBR is unnecessary because you already instruct people to make a 'dos' label, which is the nomenclature for MBR in the partition program.
| # fdisk -l /dev/vda | ||
| Disk /dev/vda: 48 GiB, 51539607552 bytes, 100663296 sectors |
| Units: sectors of 1 * 512 = 512 bytes | ||
| Sector size (logical/physical): 512 bytes / 512 bytes | ||
| I/O size (minimum/optimal): 512 bytes / 512 bytes | ||
| Disklabel type: dos | ||
| Disk identifier: 0x4d532059 | ||
|
|
||
| Device Boot Start End Sectors Size Id Type | ||
| /dev/sda1 * 2048 100663295 100661248 48G 83 Linux | ||
| /dev/vda1 * 2048 100663295 100661248 48G 83 Linux |
| ``` | ||
|
|
||
| UEFI systems will need the disk to have a GPT disklabel and an EFI system | ||
| partition. The required size for this may vary depending on needs, but 100M | ||
| should be enough for most cases. For an EFI system, the partition layout should | ||
| look like the following. | ||
| look similar to the following. |
|
|
||
| ``` | ||
| # blkid -o value -s UUID /dev/sda1 | ||
| 135f3c06-26a0-437f-a05e-287b036440a4 | ||
| # blkid -o value -s UUID /dev/vda2 |
There was a problem hiding this comment.
| # blkid -o value -s UUID /dev/vda2 | |
| # blkid -o value -s UUID "${LUKSPART}" |
| Next, Edit the `GRUB_CMDLINE_LINUX_DEFAULT=` line in `/etc/default/grub` and add | ||
| `rd.luks.uuid=ADD-UUID-FROM-BLKID-COMMAND-HERE` to it, If you are on a LVM configuration | ||
| also add `rd.lvm.vg=voidvm`. |
There was a problem hiding this comment.
| Next, Edit the `GRUB_CMDLINE_LINUX_DEFAULT=` line in `/etc/default/grub` and add | |
| `rd.luks.uuid=ADD-UUID-FROM-BLKID-COMMAND-HERE` to it, If you are on a LVM configuration | |
| also add `rd.lvm.vg=voidvm`. | |
| Edit the `GRUB_CMDLINE_LINUX_DEFAULT=` line in `/etc/default/grub` and add | |
| `rd.lvm.vg=voidvm rd.luks.uuid=<UUID>` to it. Make sure the UUID matches the one | |
| for the [blkid(8)](https://man.voidlinux.org/blkid.8) command above. |
| ``` | ||
|
|
||
| ``` | ||
| voidvm UUID=ADD-UUID-FROM-BLKID-COMMAND-HERE /boot/volume.key luks |
There was a problem hiding this comment.
Refer to the LUKSPART variable to avoid repeatedly noting the distinction between BIOS and UEFI.
| ``` | ||
| # grub-install /dev/sda | ||
| # grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id="Void" |
There was a problem hiding this comment.
| # grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id="Void" | |
| # grub-install --target=x86_64-efi --bootloader-id="Void" |
I assume it isn't necessary to specify a path to /boot/efi and I recommend against the change from /boot/efi to /efi. However, I don't know anything about GRUB, so --efi-directory=/boot/efi may still be required.
There was a problem hiding this comment.
The disadvantage is that you have to specify the alternative path for GRUB.
The possibility of an Evil Maid attack has nothing to do with the mount point of the EFI system partition. You add no defense by mounting it somewhere else.
There was a problem hiding this comment.
In this guide, /boot is encrypted already, so I'm not sure what you mean. ESP is going to be subject to Evil Maid no matter where it gets mounted, since itsn't encrypted.
| ``` | ||
|
|
||
| If you are using a LVM configuration you will need to run the following commands before continuing with the rest of the commands. | ||
|
|
||
| ``` | ||
| # lvchange -an voidvm | ||
|
|
||
| # cryptsetup close /dev/voidvm/root | ||
| ``` | ||
|
|
||
| Finally, Close the encrypted partition and reboot the system. | ||
|
|
||
| ``` | ||
| # cryptsetup close /dev/mapper/voidvm |
There was a problem hiding this comment.
Does any of this matter? If so:
| ``` | |
| If you are using a LVM configuration you will need to run the following commands before continuing with the rest of the commands. | |
| ``` | |
| # lvchange -an voidvm | |
| # cryptsetup close /dev/voidvm/root | |
| ``` | |
| Finally, Close the encrypted partition and reboot the system. | |
| ``` | |
| # cryptsetup close /dev/mapper/voidvm | |
| # lvchange -an voidvm | |
| # cryptsetup close /dev/mapper/voidvm |
Otherwise, just drop all of this and go straight to the reboot.
|
Very few of these changes are substantive, and ongoing argument about suggestions without proposing alternatives is counterproductive. |
|
It is difficult to have a productive debate when the scope of changes is so broad and there are many points of contention. The nature of the review process is such that, when I criticize your changes as inappropriate or without additive value, your burden is to demonstrate that I am wrong. So far, your responses have been to simply reiterate your preference (which was already implied by your original proposal) or defend your changes as not detracting from the value of the guide. We don't need changes for the sake of change; add positive value or leave it as is. Your adjustments to emphasize UEFI over BIOS booting are reasonable and worth considering. I'd recommend that you resubmit a smaller change set, limited in scope, so we can iterate. If you want to add btrfs to guides, I suggest a second PR that either adds a separate section to this document to highlight differences from the LVM process defined here, or adds a new document that covers the broader btrfs installation procedure with some details about encryption. Throwing btrfs on top of LVM in this document is not particularly instructive and redundant concepts of volume management actually make it a poor suggestion. |
|
I agree with emphasizing UEFI over BIOS booting; this guide was originally written for BIOS booting and then I later added the UEFI notes. I agree with the comments on |
ghost
changed the title
[Deleted]