[RESPONDED] Any issues with LUKS or full disk encryption in general?

Chiraag_Nataraj · December 6, 2021, 5:18pm

Hmm, it shouldn’t take that much longer to get to the login screen. Maybe a few seconds longer or so, but not 23s.

Paul_Stone · December 6, 2021, 8:23pm

I don’t know what might contribute to a long startup time. I have a 2TB disk. This start-up time is acceptable for me.

I occasionally mis-type my passphrase, which drops me to a grub rescue prompt. I just power-cycle and enter the passphrase again.

My laptop is quite snappy, so I’ll stick with the full disk encryption.

Chiraag_Nataraj · December 6, 2021, 8:31pm

Yeah, this is why I use an unencrypted /boot partition. That way, the OS handles the decryption (not GRUB) and lets you try multiple times (it also supports LUKS2, which is way better in so many ways).

Paul_Stone · December 6, 2021, 10:02pm

I see. Thanks for the suggestion. I will try that. Seems like that should allow it to boot up much faster.

Some references:

https://linux-blog.anracom.com/2018/11/30/full-encryption-with-luks-sha512-aes-xts-plain64-grub2-really-slow/

Chiraag_Nataraj · December 6, 2021, 10:56pm

To give you some details, this is what my current partition layout looks like on my desktop:

NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                       8:0    0   1.8T  0 disk  
└─sda1                    8:1    0   1.8T  0 part  
  └─sda1_crypt          254:3    0   1.8T  0 crypt 
    └─Crypto--Data-Home 254:4    0   1.8T  0 lvm   /home
nvme0n1                 259:0    0 465.8G  0 disk  
├─nvme0n1p1             259:1    0   476M  0 part  /boot/efi
├─nvme0n1p2             259:2    0   477M  0 part  /boot
└─nvme0n1p3             259:3    0 464.8G  0 part  
  └─nvme0n1p3_crypt     254:0    0 464.8G  0 crypt 
    ├─Crypto-Root       254:1    0 425.6G  0 lvm   /
    └─Crypto-Swap       254:2    0  29.8G  0 lvm   [SWAP]

nvme0n1p1 here is the ESP (EFI System Partition). nvme0n1p2 is my unencrypted boot partition. nvme0n1p3 is just a giant encrypted block. Inside nvme0n1p3_crypt (the name for the mounted encrypted volume), I have a LVM setup with two volumes: Crypto-Root (for /) and Crypto-Swap (for swap). Meanwhile, sda1 is a giant encrypted block. Inside sda1_crypt (the name for the mounted encrypted volume), I have a LVM setup with only one volume: Crypto--Data-Home (for /home).

The only difference with my Framework is that /home gets put in the same volume group as / and swap (since there’s only one storage medium on there). So basically, you’d see Crypto-Home in addition to Crypto-Root and Crypto-Swap. Everything else (crucially, the setup of /boot/efi and /boot) remains the same.

Paul_Stone · December 7, 2021, 1:04am

Thanks! It turns out that my /boot/efi is not encrypted. So, I don’t know why it’s taking so long to boot up.

Edit: I ran the following command, and it took 3 seconds.

sudo cryptsetup -v luksOpen --test-passphrase /dev/nvme0n1p2

Edit 2: Oh, here is a video on how to set this up with /boot unencrypted. Now I notice above that you have both /boot and /boot/efi. So, I need to add that unencrypted /boot partition. Right now it’s under the ‘/’ mountpoint.

Chiraag_Nataraj · December 7, 2021, 1:29am

Are your kernels stored in /boot/efi? Or in /boot? Because if they’re stored in /boot and you don’t have a separate (unencrypted) /boot partition, you’ll run into slow boots since GRUB has to handle the decryption.

Chiraag_Nataraj · December 7, 2021, 1:34am

Exactly! Sometimes people will setup their ESP as their /boot partition, but I don’t like to do that since that partition has to be VFAT, whereas I would prefer my /boot partition to be a regular (read: ext4) partition. Hence I keep separate /boot and /boot/efi partitions.

Paul_Stone · December 11, 2021, 6:02am

It was a little tricky, but if anyone installing Manjaro wants a quicker boot experience, I’ve put some instructions on how to do that over here:

github.com/calamares/calamares

Add an option to not encrypt /boot

opened 11:29AM - 29 Jan 20 UTC

Bleuzen

N partitioning feature: new help: wanted

Hi, I would really like to see an option to enable encryption in the installer, …but not encrypt /boot. This has multiple advantages: - **decryption is much, much faster, because it can use hardware acceleration** decryption with encrypted /boot (in grub) can take about 20 - 30 seconds on my machine and I'm not alone - **you have multiple tries to enter your password** this is not possible in grub currently. If you put in the wrong password, you have to reboot, which is very frustrating, because checking the password takes so long every time - **the correct keyboard layout is loaded** if decrypting in grub, the local key map is not loaded and so you can't use special chars in your password. Leaving /boot unencrypted and do the os do the decryption fixes this. - **luks-2 is currently not supported in grub** I really like to use luks-2, because, you know, it is 2020 and luks-2 is out for some time already and has some advantages I like to use. With encrypted /boot, this would currently not be possible. Maybe there are more points, but that are the one that got me to leave /boot unencryped. Also, all the other distros I tried so far do NOT encrypt /boot too. (examples would be Pop OS / Fedora / ...). In my opinion, it is not worth it to encrypt boot. You are giving up too much. If someone is really paranoid, they should store their /boot on an external usb device that they watch all day an night anyway. So I think a checkbox in Calamares about encrypting /boot or not would be really nice.

github.com/calamares/calamares

Add an option to not encrypt /boot

opened 11:29AM - 29 Jan 20 UTC

Bleuzen

N partitioning feature: new help: wanted

Hi, I would really like to see an option to enable encryption in the installer, …but not encrypt /boot. This has multiple advantages: - **decryption is much, much faster, because it can use hardware acceleration** decryption with encrypted /boot (in grub) can take about 20 - 30 seconds on my machine and I'm not alone - **you have multiple tries to enter your password** this is not possible in grub currently. If you put in the wrong password, you have to reboot, which is very frustrating, because checking the password takes so long every time - **the correct keyboard layout is loaded** if decrypting in grub, the local key map is not loaded and so you can't use special chars in your password. Leaving /boot unencrypted and do the os do the decryption fixes this. - **luks-2 is currently not supported in grub** I really like to use luks-2, because, you know, it is 2020 and luks-2 is out for some time already and has some advantages I like to use. With encrypted /boot, this would currently not be possible. Maybe there are more points, but that are the one that got me to leave /boot unencryped. Also, all the other distros I tried so far do NOT encrypt /boot too. (examples would be Pop OS / Fedora / ...). In my opinion, it is not worth it to encrypt boot. You are giving up too much. If someone is really paranoid, they should store their /boot on an external usb device that they watch all day an night anyway. So I think a checkbox in Calamares about encrypting /boot or not would be really nice.

In short, with the calamares installer (which is what Manjaro uses) you would need to partition manually with an unencrypted /boot/ partition. When you specify that partition, it seems that you must supply a trailing /. Additionally, you will need to update grub, per the instructions which I linked to, after booting into the newly installed system in order to avoid being prompted an extra time for the encryption passphrase (which it doesn’t need in order to open the boot partition).

Paul_Stone · December 11, 2021, 5:21pm

So, the next problem is that I don’t know how to get the encrypted swap partition working, let alone get it working for hibernation. By default, the swap partition is not being used, and my attempts to turn it on have not been successful.

The desired setup would have the root partition and swap partition in the same encrypted container, as Chiraag_Nataraj indicated above, in order to avoid having to enter the encryption passphrase twice. However, the path of least resistance for me may be to use an encrypted swap file on the root partition.

Chiraag_Nataraj · December 11, 2021, 7:50pm

@Paul_Stone Here’s how I setup partitions during install (I installed Debian, but the partitioner should be fairly similar if you do the manual partitions):

Delete existing partition table. Yes, that includes the EFI partition if you have one, since you’ll recreate it anyway.
Create a new partition. Set the type to EFI and the size to whatever you want (looking at my current desktop, I set it to about 500MiB).
Create a new partition. Set the type to ext4, the mountpoint to /boot, and the size to whatever you want (again, I use about 500MiB on my desktop).
Create a new partition. Set the type to crypt and set it to use the rest of the disk.
In Debian, there’s another sub-menu at the partitioner to setup encrypted volumes, and I enter that and setup my passphrase and such at this step. I don’t know if Calamares does something similar or if it comes up at the previous step when you set the type of the partition to crypt. Either way, I will assume that at this point, you have created an encrypted container which takes up the rest of the disk (after your EFI partition and /boot).
Now, at the partitioner’s main screen, I see a new ‘disk’, which is the encrypted volume I setup and has been mounted to expose the internal space.
Create a new partition in the encrypted volume and let it take up the entire space. Set the type to LVM.
Now, in Debian, there’s another submenu to setup LVM, so I enter that.
Here, I can create a volume group (I usually name it Crypto) and several logical volumes inside of that volume crypto. This is where I create Root, Home, and Swap.
Once I exit the LVM setup, I see that three new ‘disks’ have appeared, each one corresponding to a logical volume I created and unformatted at the moment.
At this point, I can go to each of those and setup the appropriate partitions (/, /home, and swap).
Once the install completes, everything should “Just Work”.

The one thing I don’t know is if Calamares uses a partitioner other than partman (which is what Debian uses). If it does, then the way the options are exposed to you (especially for crypto and LVM) may be different.

Paul_Stone · December 13, 2021, 7:25pm

Thanks so much, Chiraag_Nataraj.

I think there is some LVM setup capability in the Calamares installer. I will look into this further when I get a chance.

Dheera_Venkatraman · December 20, 2021, 4:55am

Yes. Major speed issues with LUKS.
My 7000 MB/s drive craps out at 900 MB/s with LUKS. All the NVMe advantage goes to trash. Could have gotten those speeds with SATA.

I’m wondering if I use an unencrypted Ubuntu install with a BIOS-set HDD password on a Samsung 980 Pro actually encrypts the drive properly. If so that would probably be much better performance.

reanimus · December 20, 2021, 6:07am

This seems pretty accurate. Just ran some read-only benchmarks:

Stefan_Wiegmann · December 30, 2021, 6:02pm

I read your last comments a little confused. I encrypted root and I am booting way quicker than 20 seconds until login screen, more like 2-4, at most. I don’t think your speed problems are as black and white as encryption yes/no. There’s something else cooking.

Myles_Dear · April 9, 2024, 2:03am

Hi, sorry to be waking up an old post, but the frame.work support team pointed me here.

I am installing Jammy Jellyfish Ubuntu 22.04 on a frame.work 13" chassis and I wish to engage LUKS encryption. The stock installer allows for this, but after USB install complete and booting from SSD the laptop asks for the decryption password each and every time. I wish to automate this and also make use of the inbuilt TPM2 chip to hold the appropriate secret. Do you have a detailed set of instructions on how to engage LUKS on a 13" chassis with Intel Gen11 mobo making use of the TPM2 capabilities? I want a system as easy and transparent as BitLocker while still providing storage encryption. ChatGPT says this is a tricky and delicate process and may change depending on the specific models of firmware and hardware involved, so I wish to hear this from you first. I’ll also check on the community forums for driver pack install (once I can actually get a shell coming up after putting the LUKS issue to bed that is).

Right now I’m dead in the water because the very password I used when the installer asked for (and wrote it down carefully in my secure vault and retyped at SSD boot time) is rejected and ultimately does not work. My next step is likely to boot from the stock installer USB stick and somehow get into a manual root shell and skip the install step, so I’m running entirely from the USB (not quite sure how to do this), and then work some kind of magic to either reset the LUKS password or manually unlock it as root…

I should also note that the CAPS lock light does not toggle on my stock keyboard so I tried entering my password, and when it failed pressed the CAPS lock sight unseen and retried the same password

Any next steps? I tried my ChatGPT but I think this sequence is too detailed and I’m bound to do something wrong by following less informed directions.

Thanks.

Ulmondil · April 9, 2024, 11:31am

Not an expert but I’m myself using disk encryption with TPM unlock on Ubuntu: some word might not be 100% accurate.

Ah… chatgpt… Not sure where that info came from…
The only part firmware specific is probably settings up Secure Boot with a custom new key. I have a FW 13 AMD and adding a db key was pretty easy compared to my experience with bios/uefi setting in other laptops. I think uefi setting are a little different in FW13 Intel 11th but shouldn’t be too hard to find the right options. Worst case scenario you need to use EFI key tool(see the link below).

You want secure boot enabled to validate your boot components because don’t want someone who has stolen your device to boot an altered boot stack to get your TPM secret.

Moreover you have to decide under which conditions the TPM secret can be obtained. You have to choose a set of PCR. Depending on your choice you may have to enter your password during boot after a kernel upgrade or after a firmware upgrade. So you still need a password.

Using TPM2 unlock on Ubuntu 22.04 is possibile. I use it on Ubuntu 23.10 and PopOS 22.04. Still it’s harder than it is on other distros. Fedora for example ships some more modern version of some tools (systemd-cryptenroll & co.) and I’ve noticed that guide for fedora are shorter than those for debian/Ubuntu.

I hope that the upcoming Ubuntu 24.04 version will make stuff easier. Haven’t check yet.

On this forum this thread is for fedora:

For debian/Ubuntu this is the way:

https://blastrock.github.io/fde-tpm-sb.html

Both links also covers encrypted hibernation. If you don’t feel like compiling the kernel and you don’t care about hibernation skip that part

I haven’t fully understood the situation. Were you installing or have you already installed Ubuntu 22.04?

To diagnose boot/LUKS/disk-related issues a good idea is to boot a live iso from usb. This way you have a full system available. In the initramfs the diagnostic tools are limited.

If you don’t use US keyboard beware of using the correct keyboard layout when you enter your password.

Myles_Dear · April 9, 2024, 1:01pm

Thanks very much for the replies. I started with a completely empty SSD, this is a brand new system I’m setting up.

I may try re-installing from scratch since even with entering the password twice I might have made a keying error.

I am using a typical US keyboard.

Can I use the Ubuntu install ISO as a “live boot” product and boot into the key instead of doing an installation?

I will never be using hibernation or suspension since the purpose of this sytem is to be an always-on crypto miner / validator (I could be docked if the machine is offline).

I’ll do more research to determine the appropriate PCR settings.

Update : After some consideration, I have decided this is much too volatile a setup for my home server. I will forego disk encryption entirely. I yearn for a solution as easy to engage / disengage as Windows BitLocker. Too many opportunities to cause huge damage if I get something little wrong - I see this whole subsystem as very brittle, especially for those who don’t have decades of experience. This server will be operating on mission-critical data but I lack the confidence to move forwards with disk encryption. Thanks to all who responded.

Matt_Hartley · April 9, 2024, 6:45pm

I use it on Fedora, I do not use it on Ubuntu myself. LUKS in and of itself, is fine and reliable.

jared_kidd · April 9, 2024, 7:35pm

I know this is an old thread, but just throwing in that luks works fine on the Framework 16. No reason for it not to.

In my particular case, I have standard EFI partition, and a few unencrypted boot partitions for various OS’, then a massive LUKs encrypted btrfs formatted partition for the rest of the drive, which currently contains Fedora 39, Ubuntu 22.04, and Arch Linux all installed under their own designated subvolumes. This way all three OSs are unlocked with the same luks password and space isn’t wasted.