Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-03 19:51:03 -05:00
Code Issues Packages Projects Releases Wiki Activity
7f2dee59f0
qubes-doc/installing/encryption-config.md
Andrew David Wong 92b985d079
Replace "sudo" with root prompt for consistency
2016-06-28 05:43:14 -07:00

3.0 KiB
Raw Blame History

layout title permalink
doc Manual Encryption Configuration /doc/encryption-config/

Manual Encryption Configuration

The Qubes installer uses cryptsetup (LUKS/dm-crypt) under the hood. You can configure the encryption options before installing Qubes as follows:

  1. Boot into the installer. Wait for first GUI screen to appear where it asks about language/localization .

  2. Press Ctrl+Alt+F2 on your keyboard to escape to a shell session. (If you are on a laptop, and your laptop keyboard des not work properly, you may have to plug in a USB keyboard.)

  3. Check and adjust the partitioning on the drive you plan to install to with parted. For example, you can leave the partition table as msdos/MBR type, then create a 500 MB ext4 boot partition, a 10 GB swap partition, and use the rest of the drive (minus overprovisioning space for SSDs) for the root partition.

  4. Run to set the LUKS options as you like and set the passphrase:

    # cryptsetup <options> luksFormat <partition>

    For example:

    # cryptsetup -v --hash sha512 --cipher aes-xts-plain64 --key-size 512 --use-random --iter-time 5000 --verify-passphrase luksFormat /dev/sda2

  5. (Optional) Make sure the new container works:

    # cryptsetup open /dev/sda2 test
# mkfs.ext4 /dev/mapper/test
# mount /dev/mapper/test /mnt/test
# umount /dev/mapper/test
# cryptsetup close test

  6. Everything should be set with the preparation, so press Ctrl+Alt+F7 to go back to the GUI installer.

  7. Continue installing as usual. When you get to the disk partitioning/allocation part, pay attention.

  8. When you select the disk, it may complain about only having a few MB of space. Uncheck the "Encrypt and ask me about the passphrase later" box and press the "Custom" button.

  9. In this menu, you should see the unencrypted boot partition and the encrypted LUKS partitions you created earlier. You must unlock the LUKS partition here, i.e. enter passphrases.

  10. Set the mount points on these partitions once they are decrypted. (This part may be a bit glitchy, but you should be able to get it working after a reboot.) For example, set the mount point for the primary LUKS partition as /. Make sure the "Encrypted" box stays checked and that you check the "Format" box (required for the root partition). Similarly, set /boot as the mount point for the unencrypted boot partition and swap as the mount point for the swap partition.

  11. Now the install should complete without any other issues. When it's finished, you'll have LUKS-encrypted partitions with the options you chose above. You can verify this command in dom0:

    # cryptsetup luksDump <partition>

    For example:

    # cryptsetup luksDump /dev/sda2

These instructions were adapted from those provided by Qubes user Jake on the qubes-users mailing list.