Full Drive Encryption on Rockstor 5

John1 · April 26, 2025, 10:21pm

Hello everyone,

I’m wondering whether the NAS can have full disk encryption on on the system disk, and data disks? Where it auto-decrypts based on TPM bound keys, by using the Clevis (GitHub - latchset/clevis: Automated Encryption Framework) software. Please ensure that it’s a release including PR #462.

What do you guys think of doing full disk encryption on Rockstor using this please? Could it be added into the core of Rockstor please? The user would be able to choose whether to do this likely during the installation of Rockstor.

Hooverdan · April 27, 2025, 3:03am

@John1 at this time, only this encryption is implemented:

https://rockstor.com/docs/howtos/luks.html

If you want the root disk encrypted as well, at this time, you will need to build your own installer, as described here:

And enable it in the rockstor.kiwi file:

github.com

rockstor/rockstor-installer/blob/49e1154df5b92a82582a36b9bdf7cc545dba47a6/rockstor.kiwi#L44


      
          <packagemanager>zypper</packagemanager>
          <locale>en_GB</locale>
          <keytable>gb</keytable>
          <timezone>Europe/London</timezone>
          <rpm-excludedocs>true</rpm-excludedocs>
          <rpm-check-signatures>false</rpm-check-signatures>
          <bootsplash-theme>upstream</bootsplash-theme>
          <bootloader-theme>starfield</bootloader-theme>
          <!-- firmware="efi" See https://github.com/OSInside/kiwi/issues/1428 re AArch64 -->
          <!-- Re AArch64: https://github.com/OSInside/kiwi/issues/1491 -->
          <!-- For root disk LUKS encryption (using luks2 & PBKDF2 instead of argon2id) -->
          <!-- add below 2 luks attributes below the 'efipartsize' entry in the type definition -->
          <!-- note: change luks Pass Phrase -->
          <!--        luks="c00l_Pa$$Phra$e" -->
          <!--        luks_version="luks2" -->
          <!-- N.B. kernelcmdline may be modified by pre_disk_sync.sh -->
          <type image="oem" primary="true" initrd_system="dracut" filesystem="btrfs" fsmountoptions="noatime" firmware="efi" installiso="true" kernelcmdline="nomodeset plymouth.enable=0 rd.kiwi.oem.maxdisk=5000G" bootpartition="false" devicepersistency="by-label" btrfs_root_is_subvolume="true" btrfs_root_is_snapper_snapshot="true" btrfs_quota_groups="false" efipartsize="64">
              <bootloader name="grub2" bls="false"/>
              <!-- For full disk LUKS encryption uncomment below entries -->
              <!-- PBKDF2 is required for grub to recognize encryption -->
              <!--    <luksformat> -->

In a future release that might be considered to be built into the initial installer.