On 29/09/2020 15:27, Mason Loring Bliss wrote: > On Tue, Sep 29, 2020 at 08:58:42PM +0700, Андрей via Dng wrote: > >> Question is, Is it possible to to achieve same goal without LLVM -- >> i.e. to partition system HDD with fdisk, and then still have full >> encryption? > > Yes, or at least, mostly. There needs to be unencrypted data that contains > the decryption code. GRUB itself can handle LUKS decryption, but that > would involve a manual installation. > > There are a number of ways to encrypt a system, in any event, and you can > certainly use the "manual" partitioning in the Debian installer to set up a > system that's largely encrypted, without LVM, but remember to supply an un- > encrypted /boot, as unless something's changed very recently, Debian (and > Devuan by extension) doesn't know to configure GRUB to unlock an encrypted > /boot. > > I found this that talks about encrypted /boot (or /boot on encrypted root) > but it would require manual installation, and I'm not sure how easy it'd be > to adapt Debian's GRUB scaffolding to accomodate it. Might be easy, might > be nearly impossible. But: > > https://wiki.archlinux.org/index.php/Grub#Encrypted_/boot
Do it in stages: Stage 1 Devuan install CD: partition 1 unencrypted /boot partition 2 Luks encrypted everything else Stage 2 Copy /boot over onto / * rebuild the initramfs in the NEW /boot on / * ^^^ you will need to hack the initramfs-tools scripts or they will exclude the Luks key ^^^ Stage 3 Rip apart the new initramfs and confirm correctly built, repeat Stage 2 if not. Stage 4 - point of no return'ish Re-configure and re-install grub to load the kernel from partition 2 /boot Stage 5 - ok i lied, it's Linux and anything is recoverable almost Boot into recovery from the Devuan Install CD Re-install grub to boot the first partition kernel, the original /boot. Have a cup of coffee and work out what you did wrong and try Stage 2 on again :) I kept two differing grub configurations making life easier by symlinking, unencrypted in partition 1 /boot, encrypted in partition 2 /boot When you are satisfied, wipe partition 1. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
