The only difference is the naming convention of LUKS partitions and different boot system for initramfs (Dracut).
Again I will not delve into writing reasons for doing this as I presume if you are reading this manual, you have them.
While migrating to Fedora, I found a better way to do this without needing to chroot into the installation to make complicated configuration changes there. Thus I am updating this article ! If you want to see previous archived version of this article here is the link:
Click me for the old version of this article.
So, let’s head to it:
Prerequisites:
1.) Standard installation of Fedora Linux 44 Beta (It may work on older versions, but I tried it on version 44 Beta)
2.) Your partitioning scheme has:
A.) EFI partition (unencrypted with mount point to “/boot/efi”
B.) Boot partition (unencrypted) with mount point to “/boot”
C.) Root partition (encrypted) with mount point to “/”
3.) Everything is on the same disk
4.) It is encrypted with LUKS2
5.) You backed up your important data or drive before following some random online manual.
1.) Standard installation of Fedora Linux 44 Beta (It may work on older versions, but I tried it on version 44 Beta)
2.) Your partitioning scheme has:
A.) EFI partition (unencrypted with mount point to “/boot/efi”
B.) Boot partition (unencrypted) with mount point to “/boot”
C.) Root partition (encrypted) with mount point to “/”
3.) Everything is on the same disk
4.) It is encrypted with LUKS2
5.) You backed up your important data or drive before following some random online manual.
Manual:
1.)
First install your distro according to the prerequisites, normally through the live CD installer. That will install and encrypt it with the weaker SHA-256
2.)
Once the installation is finished I recommend rebooting again into the live cd/usb session.. Since unmounting the partitions after new WebUI installer finishes is a hassle.
3.)
If you do not want to reboot (step 2) then unmount the luks partition on the disk you installed your distro to.
4.)
You will need the original UUID of the LUKS partition so run:
lsblk -o +UUIDAnd save the UUID of LUKS partition encrypting your system partition. You will need it later.
5.)
Now you will have to dump your master key for re-encryption which is done by:
(THIS IS VERY SENSITIVE DATA HANDLE IT ACCORDINGLY – IT IS THE KEY THAT ENCRYPTS YOUR DISK !!)
cryptsetup --dump-master-key luksDump /dev/(#partition encrypting root fs partition)This will give you output with many things, including “MK Dump:” followed by hexadecimal characters, those HEX characters are your master key.
They should be 512 bits if you are using a new version of the distro (not to be confused with key derivation hash,
key derivation hash is not the master key).
6.)
This key needs to be formatted into a file, which is done by:
printf '\x00
\x00
\x00
\x00
\x00
\x00
\x00
\x00
' > /tmp/masterkey where
00
are your master key HEX characters and the leading part must always be\x
and whole string must be encapsulated in''
. You will have more of these HEX characters I just shortened this command for this manual, so it can fit into the page.This will result in creation of /tmp/masterkey file, which is in live cd/usb session saved in RAM (if in /tmp) and will vanish after a reboot so do not worry about it.
7.)
Now that we have our master key and original UUID of luks partition from step 4, we will re-encrypt the partition with the master key and with correct parameters for a stronger hash function. Like this:
cryptsetup --master-key-file=/tmp/masterkey --iter-time=60000 --hash=sha512 luksFormat /dev/(#partition encrypting root fs partition) Note that the --iter-time in the command describes how long the key hash should be calculated (on/for YOUR CPU) in this case it is set to one minute.
(That is the time you will need to wait at the boot screen for the partition to unlock after you type in your password. Longer time is more secure so do your research on it and see what fits you).
You will then be prompted for your password, so fill it in and go brew yourself a coffee or something, this will take some time.
8.)
Then we will restore the original UUID of it so we DO NOT have to chroot to our installed system to modify configuration inside.
cryptsetup luksUUID /dev/(#luks partition) --uuid (#THE ORIGINAL UUID YOU SAVED IN STEP 4) 9.)
Once that is done run:
sync and wait so that you can be sure all changes were written to disks.
10.)
Now just restart the system from live CD into your installation.
That should be it. Also, as I asked in the previous manual, if you know a better way to do it or think some steps in this manual can or should be adjusted, please do not hesitate to write an email to legacy@wo.cz
Criticism is very welcome.