How to enable LUKS / Encryption? #65
Comments
|
It's not possible for an image that has already been baked; luks encryption is created before the image is baked and data is written to the partition. Possible solution.
Original Changed to something like this TAKE the information below with a grain of salt. I'm not 100% sure 👍🏻. One of the reasons the luks images are not provided is that the encryption key is shared between images after installation. So even though you change your LUKS password with something like: The encryption key (volume key) is accessible only with a different password, but it's the same key!!! Actually, I checked the specification -> https://gitlab.com/cryptsetup/LUKS2-docs/blob/main/luks2_doc_wip.pdf And there is section 4.9 reencryption. It should be possible to have a common password for images and then inform the user that it is necessary to re-encrypt the device after changing the password. Something like I'm sorry, but I do not have an ARM64 builder ATM to check it. However, this should give you a rough idea of how you can safely achieve full encryption. |
|
I was able to get this working using the kickstart method above. This even includes using Clevis for Network Bound Disk Encryption. The main gotcha is for some reason the Kernel rpmspec was modified to not regenerate the initramfs, which is a requirement to properly manage FDE with Clevis. I'm not sure who the correct person is to contact about this, regenerating the initramfs should be enabled by some configuration parameter or maybe a meta-package of some description. |
I have copied the contents of the image to nvme drive. As there is no installer per se, there was no option to enable LUKS on install. I do now want to enable LUKS (or whichever other way to encrypt full drive), how can I go about it? Thanks in advance.
The text was updated successfully, but these errors were encountered: