For a long time, I have been using a hard drive with cryptsetup LUKS software encryption for my desktop. However, I recently decided to purchase a new hard disk and this time went for SSD instead of HDD. Interestingly, the SSD came with built-in support for hardware encryption. What this meant was that instead of having the CPU waste cycles on encryption / decryption, the SSD would take care of it, thereby freeing up CPU resources. The challenge? Setting up disk encryption is complicated. Until Aug 2023! Because that is when crypsetup, the tool that I have been using for software encryption, introduced support for hardware OPAL disk encryption. And this is what I have used to set up disk encryption for my Debian OS. I have documented the steps that I followed (mostly for self-reference), but I hope others find it useful.
Some caveats before you start:
1. Support for hard disk OPAL encryption landed in cryptsetup 2.7.0. Debian stable (bookworm) still has cryptsetup 2.6.0. If you want to use this, you will either have to use Debian testing (trixie) or if you intend to use Debian stable, upgrade cryptsetup from the testing repo (which is what I did)
2. I have not installed Debian but instead, once disk encryption along with LUKS encrypted LVM was set up, I just copied all files from my existing OS to this. If you want to do a fresh installation, I believe you can do it, once you create the all partitions. The LVM is purely optional, and I prefer to use it for convenience.
3. I also have tow additional mount points (/stuff/ and /gallery/) which are in no way required or even a standard. Again, this is just my personal preference. Feel free to ignore them.
4. I have a EFI partition as my motherboard uses the UEFI interface for booting.
5. You can set up disk encryption only or disk encryption with software encryption. As my need was to provide basic protection, I decided t go for disk only encryption.
6. The SSD was identified as /dev/sda and that is what I have used below. The device location might be different in your case.
7. Last but not the least, if you are copying over an existing OS, have a proper backup.
If you have any queries, feel free to leave a comment and if I have an answer to them, I will get back to you.
sedutil-cli --scan
works fine$ sudo apt install sedutil
$ sudo sedutil-cli --scan
Scanning for Opal compliant disks
/dev/sda 2 CT2000MX500SSD1 M3CR046
/dev/sdb No
No more disks present ending scan
If you see a number in the second column, like the 2 above, your drive supports OPAL.
You will need to have your PSID to reset the drive. You can mostly find the PSID on your drive, printed on a sticker. If the PSID has dashes, ignore them.
$ sudo cryptsetup luksErase --hw-opal-factory-reset /dev/sda
Enter OPAL PSID: <PSID>
My system partitions layout with mount points
/dev/sda1 fat32 /boot/efi
/dev/sda2 ext4 /boot
/dev/sda3 luks encrypted LVM
/dev/mapper/media-vg--root ext4 /
/dev/mapper/media-vg--home btfs /home
/dev/mapper/media-vg--swap_1 swap
/dev/mapper/media-vg--stuff btrfs /stuff (optional partition that I use for storing general stuff)
/dev/mapper/media-vg--gallery btrfs /gallery (optional partition that I use for storing images/videos)
Create partitions
$ sudo parted /dev/sda
(parted) mklabel gpt
(parted) mkpart ESP fat32 1MiB 526MiB
(parted) set 1 boot on
(parted) mkpart primary ext4 526MiB 1550MiB
(parted) mkpart primary 1550MiB 100%
(parted) print
(parted) quit
As mentioned earlier, ensure that you have cryptsetup 2.70 or newer. Older versions of cryptsetup will not work.
$ sudo cryptsetup luksFormat /dev/sda3 --type luks2 --hw-opal-only
The --hw-opal-only flag tells cryptsetup to use hardware encryption only. If you want to use software encryption on top of hardware encryption, pass the --hw-opal flag instead.
Check configuration with luksDump. This output will be different if you used --hw-opal flag.
$ sudo cryptsetup luksDump /dev/sda3
LUKS header information
Version: 2
...
Data segments:
0: hw-opal
offset: 16777216 [bytes]
length: ... [bytes]
cipher: (no SW encryption)
HW OPAL encryption:
OPAL segment number: 1
OPAL key: 256 bits
OPAL segment length: ... [bytes]
Keyslots:
0: luks2
Key: 256 bits
...
If you used --hw-opal flag, output will be something like this.
LUKS header information
Version: 2
...
Data segments:
0: hw-opal
offset: 16777216 [bytes]
length: ... [bytes]
cipher: (no SW encryption)
HW OPAL encryption:
OPAL segment number: 1
OPAL key: 256 bits
OPAL segment length: ... [bytes]
Keyslots:
0: luks2
Key: 256 bits
...
Mount LUKS partition
$ sudo cryptsetup open /dev/sda3 sda3_crypt
Create a PV
$ sudo pvcreate /dev/mapper/sda3_crypt
Create a volume group of physical volume
$ sudo vgcreate media-vg /dev/mapper/sda3_crypt
Verify VG configuration
$ sudo vgdisplay
Create logical volumes
$ sudo lvcreate -n root -L 100g media-vg
$ sudo lvcreate -n home -L 100g media-vg
$ sudo lvcreate -n swap_1 -L 20g media-vg
$ sudo lvcreate -n stuff -L 200g media-vg
$ sudo lvcreate -n gallery -l 100%FREE media-vg
$ sudo lvdisplay
$ sudo mkfs.fat -F32 /dev/sda1
$ sudo mkfs.ext4 /dev/sda2
$ sudo mkfs.ext4 /dev/media-vg/root
$ sudo mkfs.btrfs /dev/media-vg/home
$ sudo mkswap /dev/media-vg/swap_1
$ sudo mkfs.btrfs /dev/media-vg/stuff
$ sudo mkfs.btrfs /dev/media-vg/gallery
Set up folder structure and mount partitions
$ sudo mount /dev/media-vg/root /mnt/
$ sudo mkdir /mnt/boot/ && sudo mount /dev/sda2 /mnt/boot/
$ sudo mkdir /mnt/boot/efi && sudo mount /dev/sda1 /mnt/boot/efi
$ sudo mkdir /mnt/home/ && sudo mount /dev/media-vg/home /mnt/home/
$ sudo mkdir /mnt/stuff/ && sudo mount /dev/media-vg/stuff /mnt/stuff/
$ sudo mkdir /mnt/gallery/ && sudo mount /dev/media-vg/gallery /mnt/gallery/
Now, copy over all the files from the old system to the new system.
Note: If you are installing OS freshly, then you can stop following the guide here as the next steps will no longer be relevant and proceed with the OS installation the usual way. As a matter of fact, I believe, once you created the encrypted OPAL disk partition (/dev/sda3), then itself, you could have switched to the installation tool and created LVM from it. However, I have not tried fresh installation. So can't confirm.
First bind mount points
$ for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount -o bind $i /mnt$i; done
chroot into the system
$ sudo chroot /mnt/
Update /etc/fstab. To generate UUID, use blkid
command. Below is the one for my system.
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/media--vg-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda2 during installation
UUID=e63fbce3-8e20-40ed-af1a-17b73768f853 /boot ext4 defaults 0 2
# /boot/efi was on /dev/sda1 during installation
UUID=CDDE-67F3 /boot/efi vfat umask=0077 0 1
/dev/mapper/media--vg-home /home btrfs defaults 0 0
/dev/mapper/media--vg-swap_1 none swap sw 0 0
/dev/mapper/media--vg-gallery /gallery btrfs defaults,nofail 0 0
/dev/mapper/media--vg-stuff /stuff btrfs defaults,nofail 0 0
Update /mnt/etc/crypttab. To get UUID of luks partition, run cryptsetup luksUUID /dev/sda3
. Below is the one for my system.
sda3_crypt UUID=42834177-2cb5-45ef-897f-af1c85f35bf1 none luks,discard
Additionally, generate LVM metadata backup
# vgcfgbackup media-vg
Finally, update initramfs (not sure if this step is really needed)
# update-initramfs -u -k all
Reinstall GRUB to the appropriate disk (without partition number)
# grub-install /dev/sda
Generate the GRUB configuration file:
# update-grub
Now, exit chroot and reboot the system, remove Debian live and boot into the new system.
Add new comment