[bug#49654] [PATCH] doc: Add full disc encryption guide to the cookbook

[Giovanni Biscuolo <g@xelera.eu>]

[-- Attachment #1: Type: text/plain, Size: 5614 bytes --]

Hi Joshua

Joshua Branson <jbranso@dismail.de> writes:

[...]

>> Why using two BTRFS volumes on top of LVM and not directly using BTRFS
>> (with subvolumes if you want) on top of /dev/mapper/partname?
>
> This is probably a good idea...however does the grub payload support
> this?

Do you mean: does grub support booting from encrypted BTRFS?  The answer
is yes.

WARNING: I've (still) not tried myself to boot Guix System using an
encrypted BTRFS (sub)volume but I'm pretty confident that Guix is
configuring grub with the needed modules (luks and btrfs)

[...]

>> I'm still using LVM on some "legacy" systems but for new installations
>> I'd strogly suggest starting using BTRFS on top of "physical"
>> partitions.
>
> does btrfs volume manage allow use to use ext4, jfs, or xfs
> filesystems?

No: BTRFS is a volume manager and a filesystem "all in one", you cannot
create a BRTFS subvolume and format it with another filesystem

> Or does on LVM do that?

LVM is "just" a volume manager with no idea about the overlaying
filesystem


[...]

>> I know that since Linux 2.6 swapfile performance is not a big issue if
>> the file is unfragmented (and it'll be for sure on newly partitioned
>> filesystems) but AFAIU swap files are still a little bit problematic on
>> BTRFS
>> https://btrfs.wiki.kernel.org/index.php/FAQ#Does_Btrfs_support_swap_files.3F:
>
> Ok...maybe we could use ext4 for the swap file?  Is there a better
> filesystem?  Again does btrfs volume management allow the swap file to
> be ext4?

No, al explained above

> Or do we have to use LVM?

If we use a dedicated partition for swap there is no need to set up an
LVM volume (phisical, VG and then logical): we can just create a
dedicate partition during partitioning, encrypt it with LUKS and
"mkswap" it (e.g. mkswap /dev/mapper/<encrypted_swap>)

[...]

>> Final note: AFAIU BTRFS supports swap files ONLY in single device
>> settings (that is: NO swap file support on multi device settings), so
>> IMHO it's better to use a dedicated partition for the swap space so
>> users are free to switch to a multi-device setting if they wish (and
>> can).
>
> Ok, I will create a dedicated partition and format it with ext4
> and the swap program

There's no need to format (mkfs.ext4) the partition with ext4, just
"mkswap" it :-)

> ...but I will probably need help figuring out how to encrypt
> the swap partition...There are guides online that I can look at...

You have to encrypt it like any other partition, e.g.:

--8<---------------cut here---------------start------------->8---

Encrypt swap the partition. Follow the prompts.

@example
cryptsetup --verbose --hash whirlpool --cipher serpent-xts-plain64 \
--verify-passphrase --use-random --key-size 512 --iter-time 500 \
luksFormat /dev/<swap_partition>
@end example

Obtain and note down the UUID of the LUKS partition.

@example
cryptsetup --verbose luksUUID /dev/<swap_partition>
@end example

Open the encrypted partition, where @code{luks-uuid} is the LUKS UUID,
and @code{crypt_swap01} is any desired name for the decrypted swap
partition.

@example
cryptsetup --verbose luksOpen UUID=luks-uuid crypt_swap01
@end example

Format the encrypted swap

@example
mkswap /dev/mapper/crypt_swap01
@end example

--8<---------------cut here---------------end--------------->8---

Then, in our (operating-system) declaration, we have to use something
like this:
--8<---------------cut here---------------start------------->8---

  (mapped-devices
   (list
    (mapped-device
     (source (uuid "LUKS-UUID"))
     (target "partname")
     (type luks-device-mapping))
    ;; This is our new encrypted swap partition
    (mapped-device
     (source
      (uuid "SWAP-LUKS-UUID"))
     (target "crypt_swap01")
     (type luks-device-mapping))
    (mapped-device
     (source "vgname")
     (targets
      (list
       "vgname-lvnameroot"
       "vgname-lvnamehome"))
     (type lvm-device-mapping))))

  (swap-devices
   (list
    "/dev/mapper/crypt_swap01"))

--8<---------------cut here---------------end--------------->8---

WARNING: please consider I've not tested this code.

>> The problem with a fully encrypted dedicated swap partition is that
>> it'll require a third passphrase prompt on boot (the one to unlock the
>> swap partition), but that's a minor annoyance IMHO.
>
> Oh no!  I hadn't thought about that!  grrr!

Actually what I said it's NOT true... or better: we could avoid the
(third) password prompt for the swap partition if we _add_ a keyfile to
the LUKS encrypted swap partition _and_ we have a mechanism to
"luksOpen" that mapped volume using that keyfile.

I'm not aware of such a mechanism on Guix Systems, in Debian (et al)
this is done with /etc/crypttab, AFAIU the luks-device-mapping lacks the
option to specify a keyfile.

So, as far as this cookbook section is concerned, unfortunately when
using a dedicated encrypted swap partition an additional passphrase
prompt will be presented to the user at each boot.

> I wonder if bcachefs is better than btrfs...well I guess it's not
> merged yet.

No, still not.  AFAIU also still not available in Guix.

> What about instead of using a swap file we use zram?

Never used zram and I don't know if it's supported (I mean configured by
(operating-system)) on Guix System

[...]

Sorry I've more issues than answers on this topics, nevertheless I hope
it somway helps.

Thanks! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 849 bytes --]