diff options
| author | Joe Richey <joerichey94@gmail.com> | 2017-08-29 11:57:34 -0700 |
|---|---|---|
| committer | Joe Richey <joerichey94@gmail.com> | 2017-08-29 11:57:34 -0700 |
| commit | d41bac581c56be1891e7b54d64c8e5d68edd8ca0 (patch) | |
| tree | 5c4f78346701a89a4aec632aa919ea8724083b80 | |
| parent | e8c962732c25cd61ff3543803b127fd108735cf1 (diff) | |
README: Clarified boot related encryption issues
| -rw-r--r-- | README.md | 41 |
1 files changed, 31 insertions, 10 deletions
@@ -577,19 +577,40 @@ To trigger a password authentication event, run `su $(whoami) -c exit`. #### Getting "encryption not enabled" on an ext4 filesystem. Getting this error on an ext4 system usually means the filesystem has not been -setup for encryption. To setup a filesystem to support encryption, first check -that your block size is equal to your page size by comparing the outputs of -`getconf PAGE_SIZE` and `tune2fs -l /dev/device | grep 'Block size'`. If these -are not the same, DO NOT ENABLE ENCRYPTION. - -To turn on the encryption feature flag for your filesystem, run +setup for encryption. The only other way to get this error is if filesystem +encryption has been explictly disabled in the kernel config. + +__IMPORTANT:__ Before enabling encryption on an ext4 filesystem __ALL__ of the +following should be true: + * Your filesystem is formatted as ext4. Other filesystems will have + different ways of enabling encryption. + * Your kernel page size (run `getconf PAGE_SIZE`) and your filesystem + block size (run `tune2fs -l /dev/device | grep 'Block size'`) are the + same. + * You are ok with not being able to mount this filesystem with a v4.0 + kernel or older. + * You are __NOT__ using GRUB to boot directly off this filesystem. If + you have a sperate `/boot` partition, you are fine. +If any of the above is not true, __DO NOT ENABLE FILESYSTEM ENCRYPTION__. + +To turn on encryption for your filesystem, run ``` tune2fs -O encrypt /dev/device ``` -This command requires root privileges and `e2fsprogs` v1.43 or later. Once the -filesystem flag is enabled, older kernels may not be able to mount this -filesystem. Note that there was a bug in older kernel versions that allowed -encryption policies to be set on ext4 filesystems without this flag. +To turn off encryption for your filesystem, run +``` +fsck -fn /dev/device +debugfs -w -R "feature -encrypt" /dev/device +fsck -fn /dev/device +``` + +Note: It is actually possible to get GRUB to boot an encrypted ext4 filesystem. +However, it requires GRUB 2.02 (__NOT__ the 2.02 beta) to be installed as the +bootloader. As this version was released in April 2017, most systems __WILL +FAIL TO BOOT__ with an ext4 encrypted boot directory. Note that this is only +relevant to systems without a seperate boot partition. Sytems with `/boot` on +a different partition than the one being encrypted (including all UEFI systems) +are not effected by this. ## Legal |