FDE Full Disk Encryption

Full Disk Encryption

Versatile LUKS setup, including evil-maid attack mitigation or remote unlock.

Exclusive FDE2 methods

FDE2 methods mitigate Evil-maid attacks, either by encrypting the boot partition (FDE2a) or doing without (FDE2b).

FDE method GNOS Core STORAGE_OPTION Ubuntu support Evil-maid target Evil-maid difficulty
FDE0a:
all plain-text
default default root needless
FDE0b:
plain-text root, encrypted home
root
(many ways)
trivial
FDE1:
encrypted root, plain-text boot
CRYPTO_ROOT PLAIN_BOOT boot
(initramfs)
easy
FDE2a:
encrypted root, encrypted boot
CRYPTO_ROOT CRYPTO_BOOT MBR, GPT, UEFI
(grub)
tricky
FDE2b:
encrypted root, NO boot :)
CRYPTO_ROOT MBR, GPT, UEFI
(grub)
tricky

Configurable LUKS options

By default AES-256 is used with the following LUKS options:

--cipher    aes-xts-plain64
--key-size  512
--hash      sha512
--iter-time 2000

Also you are free to specify your own options with LUKS_FORMAT_OPTS. Remember that XTS mode splits the key size in half.

Encrypted remote/headless servers

Cases FDE2a/b (specified in  Full Disk Encryption) requires physical access to unlock, alternatively a hardware KVM/IPMI solution could be used for remote servers and headless computers.

FDE1 case can benefit from  Remote LUKS password prompt.

Single LUKS password prompt for RAID setups

Whether you use ZFS for multiple-volume management or Linux MD-RAID you can achieve single LUKS password prompt, by using an encrypted boot partition (can also be mirrored).

See CRYPTO_BOOT tag in  Configuration file format / Storage_options.

ZFS compatible

All GNOS Core FDE methods are compatible with  ZFS root filesystem.