Encrypt only part of SSD or How to encrypt after installation?
91 views
Skip to first unread message
Daniil .Travnikov
Aug 3, 2018, 3:56:29 AM8/3/18
to qubes-users
I installed Qubes 4.0 and in process of installation I created only
/boot/efi 400MB
/ 240GB
Even I set passphrase in some reason the '/' did not encrypted (maybe I did some mistake) and now I have non-encrypted 240Gb drive with Qubes OS.
I created this volumes manually because I need to install second OS - Windows 7 (multi-boot) on the rest of 250 GB on SSD drive. That's why I can't use the whole drive encryption.
I need only the part of drive to be encrypted.
Now as I can see I have 2 possible variations:
1. Encrypt this 240 GB part of Drive after Qubes 4.0 installation.
2. Re-install Qubes 4.0 with right options in installation process.
Both ways I don't know how to realize. Could anybody knows?
Thanks in advance.
Steve Coleman
Aug 3, 2018, 11:51:42 AM8/3/18
to qubes-users
On 08/03/18 03:56, Daniil .Travnikov wrote:
> I installed Qubes 4.0 and in process of installation I created only
>
> /boot/efi 400MB
> / 240GB
>
> Even I set passphrase in some reason the '/' did not encrypted (maybe I did some mistake) and now I have non-encrypted 240Gb drive with Qubes OS.
partition without a little magic to load the unencrypted executable
image first.
If its an Opal 2.0 compliant drive you can install a Pre-Boot
Authentication (PBA) module that will run when the device it powered up,
and prompt you for a password before the OS actually starts to boot, and
the PBA will then unlock the boot partition so the OS boot cycle can
start. There is source code for the PBA image so you can control what it
actually does.
How do you know if it's Opal? There will be a PSID number printed on the
device. This PSID is the magic number/key needed to reset the device
back to the factory default should you need to do so. It will
*instantly* wipe everything on the device by changing the key, so be
very careful. Actually using the device without doing anything special,
the device is already encrypted but just using the default key.
The tool to manage the device can be found here:
sedutil-cli
https://github.com/Drive-Trust-Alliance/sedutil/wiki/Command-Syntax
Your distribution may have a similar utility by the name msed, but that
is an older version of the above tool.
To encrypt only part of the drive you will need to create a locking
range that spans from the end of the partition table to the end of that
region of the drive (your partition size), and set a password for that
range, and install the PBA of your choice. After unlocking that range
you then partition the drive, writing the disk tables/structures, and
then install your stuff, after the range has already been encrypted.
Locking ranges are very flexible and can even be use to make your boot
partition read-only, or even hide the real partition table until after
the drive has been unlocked. There is a lot of flexibility in the Opal
design.
awokd
Aug 4, 2018, 6:52:39 AM8/4/18
to Steve Coleman, qubes-users
On Fri, August 3, 2018 3:53 pm, Steve Coleman wrote:
>
> On 08/03/18 03:56, Daniil .Travnikov wrote:
>
>> I installed Qubes 4.0 and in process of installation I created only
>>
>>
>> /boot/efi 400MB
>> / 240GB
>>
>>
>> Even I set passphrase in some reason the '/' did not encrypted (maybe I
>> did some mistake) and now I have non-encrypted 240Gb drive with Qubes
>> OS.
>>
>
> That's not a mistake. A computer can not boot from an encrypted
> partition without a little magic to load the unencrypted executable image
> first.
I think Daniil is saying he manually set partitions, and tried to use the
>
> On 08/03/18 03:56, Daniil .Travnikov wrote:
>
>> I installed Qubes 4.0 and in process of installation I created only
>>
>>
>> /boot/efi 400MB
>> / 240GB
>>
>>
>> Even I set passphrase in some reason the '/' did not encrypted (maybe I
>> did some mistake) and now I have non-encrypted 240Gb drive with Qubes
>> OS.
>>
>
> That's not a mistake. A computer can not boot from an encrypted
> partition without a little magic to load the unencrypted executable image
> first.
installer to LUKS encrypt "/", not "/boot/efi".
>> I created this volumes manually because I need to install second OS -
>> Windows 7 (multi-boot) on the rest of 250 GB on SSD drive. That's why I
>> can't use the whole drive encryption.
>>
>> I need only the part of drive to be encrypted.
>>
>>
>>
>>
>> Now as I can see I have 2 possible variations:
>>
>>
>> 1. Encrypt this 240 GB part of Drive after Qubes 4.0 installation.
>> 2. Re-install Qubes 4.0 with right options in installation process.
when creating an individual partition you can check the "Encrypt"
checkbox. Try that for "/" when you re-install.
Reply all
Reply to author
Forward
0 new messages