Return to

LVM with /boot on LUKS + GRUB multiboot with windows on Manjaro

Evening all. I’ve got a laptop, and I need it encrypted in case it gets stolen.

Tldr: I’m running out of time and really need a working 2FA based setup, but I want to have my cake and eat it too when it comes to boot times and security.

I like playing around with luks and lvm configs to see what combos I can make, but I really need to stop and get this thing working. I’d like to know if what I’m trying to do is even possible. I don’t think I need this much security, I just think this stuff is pretty cool and am interested in the variations that can be achieved with these tools. Encryption and security is going to be important for my career so I need to know how this stuff is working. I’m also going to be trying to use my own signatures for SecureBoot cause I found out evil maid attacks are a thing.

Any help is much appreciated.

I’m trying to get the fastest boot to desktop with as close to full disk encryption that I can. I don’t care about hibernation, it would be a nice bonus, but suspension is a must have.

I figured I could do this by making a tiny efi partition, then giving the rest of the drive to a luks1 container. Luks1 would be encrypted with the fastest parameter combo for cryptsetup I can get without completely throwing away encryption. It would use an encrypted keyfile on a usb for 2FA. This is just meant to keep novice thieves out of the os. I don’t expect expert hackers are going to be targeting me any time soon. I want that slot 0 open within 2 seconds of pressing enter on the password (so --iter-time 1000?).

The luks1 container would have 3 lvols: boot(unencrypted), root(luks2), data(luks2), and free space for windows vm stuff later). Currently have windows 10 on second ssd drive. just gonna bitlocker that and stick it in grub for now.

Grub would grab the kernel from volgrp/boot ( grub2 can read lvm, right, but what about arch grub? this is the part I’m not sure is even possible), after it decrypts luks1 with the keyfile.

Then root gets decrypted with a key baked into the initramfs via the usual FILE=(/…) in mkinicpio.conf. (still don’t really understand how to set this up properly in grub/crypttab conf files.)

Root and data would each be encrypted again with two different, larger keys each with more harsh cryptsetup params.

Root is only using a key so I don’t have to enter a password twice, so it doesn’t have to be the most secure. If they get past the 2FA setup then they have a right to look at root.

Data on the other hand is my nextcloud sync target that i want to be able to mount anywhere and do symlinks to it. However, from my experience with the manjaro kde auto luks config, decrypting can take a good 5-10 seconds+. I don’t mind paying that price after I get to desktop when I’m not really using the data. I could even have it pull a key from a server or something for the epitome of 2FA. Put it in a cron job or something to decrypt it in the background, then mount and link everything.

Side questions:

Does having a robust luks setup (large keyfile, sha512, high iter time on the passphrase to decrypt the keyfile) mean that individual reads and writes to the mapped “plaintext” container take longer?

Should I just go with some detached header + passphrase encrypted keyfile on a usb so the machine isn’t decryptable at all without the usb? That effectively what I’m doing here I guess.