I’ve been researching Linux FDE, but what I’ve read so far seems a little fuzzy on what they consider “full disk” encryption to include.
I want to encrypt my entire Linux system and leave nothing unencrypted when I walk away from it. I don’t even want the partition tables left unsecured. The only thing I want to leave unencrypted is the boot sector/efi-partition, which I want to have on a USB stick that I can take with me and keep it physically secure. I would also prefer to be able to remove the USB stick once the system is finished booting.
I’m willing to get some digital dirt under my fingernails in the terminal to set things up if needed. But I also don’t want to reinvent the wheel if I don’t have to.
Is there currently a standardized/established way of doing what I want to on Linux?
I’m not even that attached to Linux, and would be willing to switch over to something like FreeBSD or OpenBSD if it would give me everything I want. (Though I’d prefer to retain the ability to run Steam with Proton, which i believe FreeBSD would enable me to do.). Windows is not an option though.
I saw someone set this up on a customized Gentoo installation. However, he was always forgetting to mount the USB stick on kernel upgrades and ending up with files written to mount point directories that should not have been written there. It was a bit of a mess.
You may also want to look into using the TPM and Secure Boot. If you trust the TPM it holds the encryption keys and will only release it if the CPU ran the correct code. That’s what Windows Bitlocker does, and I’ve seen scripts online to do it for Linux.
No, not that I know of. I believe he basically had a UEFI bootable USB stick with /boot and /boot/efi on it. Then he’d customized the initramfs somehow so it decrypted / before doing the switchroot.
That’s OK. I finally found these how-to guides on the coolgeeks101 site that seem to be basically what I’m trying to do. I’m reading them through thoroughly a few times before I try them:
Guide 1: “Full disk encryption Ubuntu, USB boot & detached LUKS header”
Guide 2: “ZFS root on Ubuntu with LUKS encryption and USB boot”
(Well, I see that I can’t include links in my posts, so you’ll just have to look them up on the coolgeeks101 site if you want to check them out. Those are the exact titles above.)
I’m not sure these guides will work for me without (possibly significant) modification though, because I’m not running a pure Ubuntu system. It’s an 18.04 derivative (elementaryOS) that has its own customized installer.