The only difference is the naming convention of LUKS partitions and different boot system for initramfs (Dracut).
Again I will not delve into writing reasons for doing this as I presume if you are reading this manual, you have them.
So, let’s head to it:
Prerequisites:
1.) Standard installation of Fedora Linux 44 Beta (It may work on older versions, but I tried it on version 44 Beta)
2.) Your partitioning scheme has:
A.) EFI partition (unencrypted with mount point to “/boot/efi”
B.) Boot partition (unencrypted) with mount point to “/boot”
C.) Root partition (encrypted) with mount point to “/”
3.) Everything is on the same disk
4.) It is encrypted with LUKS2
5.) You backed up your important data or drive before following some random online manual.
1.) Standard installation of Fedora Linux 44 Beta (It may work on older versions, but I tried it on version 44 Beta)
2.) Your partitioning scheme has:
A.) EFI partition (unencrypted with mount point to “/boot/efi”
B.) Boot partition (unencrypted) with mount point to “/boot”
C.) Root partition (encrypted) with mount point to “/”
3.) Everything is on the same disk
4.) It is encrypted with LUKS2
5.) You backed up your important data or drive before following some random online manual.
Manual:
1.)
First install your distro according to the prerequisites, normally through the live CD installer. That will install and encrypt it with the weaker SHA-256
2.)
Once the installation is finished I recommend rebooting again into the live cd/usb session.. Since unmounting the partitions after new WebUI installer finishes is a hassle.
3.)
If you do not want to reboot (step 2) then unmount all partitions on the disk you installed your distro to.
4.)
Now you will have to dump your master key for re-encryption which is done by:
(THIS IS VERY SENSITIVE DATA HANDLE IT ACCORDINGLY – IT IS THE KEY THAT ENCRYPTS YOUR DISK !!)
cryptsetup --dump-master-key luksDump /dev/(#partition encrypting root fs partition)This will give you output with many things, including “MK Dump:” followed by hexadecimal characters, those HEX characters are your master key.
They should be 512 bits if you are using a new version of the distro (not to be confused with key derivation hash,
key derivation hash is not the master key).
5.)
This key needs to be formatted into a file, which is done by:
printf '\x00
\x00
\x00
\x00
\x00
\x00
\x00
\x00
' > /tmp/masterkey where
00
are your master key HEX characters and the leading part must always be\x
and whole string must be encapsulated in''
. You will have more of these HEX characters I just shortened this command for this manual, so it can fit into the page.This will result in creation of /tmp/masterkey file, which is in live cd/usb session saved in RAM (if in /tmp) and will vanish after a reboot so do not worry about it.
6.)
Now that we have our master key, we will re-encrypt the partition with it and with correct parameters for a stronger hash function. Like this:
cryptsetup --master-key-file=/tmp/masterkey --iter-time=60000 --hash=sha512 luksFormat /dev/(#partition encrypting root fs partition) Note that the --iter-time in the command describes how long the key hash should be calculated (on/for YOUR CPU) in this case it is set to one minute.
(That is the time you will need to wait at the boot screen for the partition to unlock after you type in your password. Longer time is more secure so do your research on it and see what fits you).
You will then be prompted for your password, so fill it in and go brew yourself a coffee or something, this will take some time.
7.)
Now if that is done, we need to fix the booting:
A.) Run lsblk -o +UUID and find all your partitions
B.) Unlock your newly encrypted root partition with:
cryptsetup luksOpen /dev/(#partition encrypting root fs partition) luks-(# UUID of parent LUKS partition) (
DO NOT UNLOCK IT THROUGH gnome-disks it will not be correct
, and you will not be able to regenerate the initramfs) Fedora naming convention for child partitions under LUKS partitions are LUKS-#UUID of parent partition that is encrypting child partition, this needs to be adhered to in order for everything to work. Below is an example of how everything should look like in normal installation of Fedora as a reference:
Note the UUID of parent LUKS partition and name of child partition.
C.) Now you will need to mount them for chrooting.
Run lsblk -o +UUID again to find your unlocked root partition then mount all of them like this:
mount /dev/mapper/(#unlocked root partition under luks partition) /mntIt can be found under /dev/mapper/luks-(#UUID) and not /dev/luks-(#UUID), other unencrypted partitions are found in /dev
mount /dev/(#boot partition) /mnt/boot
mount /dev/(#efi partition) /mnt/boot/efiand then mount necessities for our chroot operations with:
for i in /dev /dev/pts /proc /sys /run; do mount -B $i /mnt/$i; doneD.) Find UUID of your LUKS partition with blkid or gnome-disks
(NOT the unlocked root partition under it but the one encrypting it)
E.) Chroot into the environment with:
chroot /mnt/ /bin/bash F.) Inside chroot environment edit file /etc/crypttab and replace the previous UUID with the correct new one found in sub-step D and also the name of the child partition (aforementioned LUKS-(#UUID). Mind the fact the UUID and UUID in the name are equal/same.
G.) Next also edit /etc/default/grub and replace luks-(#UUID) value with correct luks-(#UUID) of encrypted child partition name, same as in crypttab.
H.) Run commands:
grub2-mkconfig -o /boot/grub2/grub.cfg to regenerate bootloader settings and
dracut --regenerate-all --force --add crypt to regenerate initramfs.
I.) Type exit to exit the chroot and run command sync to be sure all changes are written to disks.
8.)
Now just restart the system from live CD into your installation.
That should be it. Also, as I asked in the previous manual, if you know a better way to do it or think some steps in this manual can or should be adjusted, please do not hesitate to write an email to legacy@wo.cz
Criticism is very welcome.