Portal:Aeon/Encryption/Advanced
![Aeon-inline.svg](/images/thumb/b/bc/Aeon-inline.svg/175px-Aeon-inline.svg.png)
Advanced Encryption Guide
Throughout this page all examples using /dev/disk
should be replaced with the correct device name of your systems LUKS partition
This guide is intended for advanced users only.
Incorrectly applying some of the changes discussed here can result in your system becoming unbootable and the data being impossible to recover.
If you do not know what you are doing, it is probably best to ignore all the information here.
General Recommendations
More Credentials can equal less Security
The LUKS Cryptography stack used in Aeon allows for ANY valid credential to unlock the systems disk
Therefore only add more credentials if you are confident that each and all of them are kept securely from any possible attacker
Always keep one Recovery Key or Passphrase
While Hardware based credentials like TPM 2.0 and FIDO2 are very strong, reliable, and convenient they should only ever be used alongside at least one Recovery Key or Passphrase.
This is because hardware based credentials are vulnerable to a number of hardware-specific risks, eg:
- Hardware can fail
- FIDO2 keys can be lost
- TPM 2.0 PCR policies are always invalid immediatly after a UEFI Firmware Upgrade
Also many tools, including the Aeon installer and systemd-cryptenroll
, can expect there to always be a Passphrase or Recovery Key and may prompt for it during security sensitive functions, such during Reinstallation or changing credentials.
Therefore, always make sure there is at least one Key Slot containing a Recovery Key or Passphrase at all times
Key Slot Layout
For any user adding or removing credentials to their encrypted disk, it's important to understand the default credentials set up as part of the install.
It is not recommended to wipe any of these keyslots unless you know precisely what you are doing.
You can check the structure of your systems keyslots at any time by running systemd-cryptenroll /dev/disk
Default Mode
- Key Slot 0 - Empty (was used for temporary credentials during Installation)
- Key Slot 1 - Recovery Key
- Key Slot 2 - TPM 2.0 Key
Fallback Mode
- Key Slot 0 - Empty (was used for temporary credentials during Installation)
- Key Slot 1 - Recovery Key
- Key Slot 2 - Passphrase
Adding additional credentials
Adding additional credentials are most useful in Fallback Mode to provide alternative methods for authenticating or as a precursor to removing obsolete credentials that no longer want to be used
On Default Mode, the main use case for adding additional credentials is to then designate it as an alternative/replacement Recovery Key
Passphrase
To add an additional passphrase to unlock your encrypted disk
sudo systemd-cryptenroll /dev/disk --password
Recovery Key
Recovery keys are mostly identical to passphrases, but are computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
A recovery key is designed to be used as a fallback if the hardware tokens are unavailable, and can be used in place of regular passphrases whenever they are required.
sudo systemd-cryptenroll /dev/disk --recovery-key
FIDO2 tokens
Any FIDO2 token that supports the "hmac-secret" extension can be used with Aeon. The following example would enroll a FIDO2 token to an encrypted LUKS2 block device.
sudo systemd-cryptenroll /dev/disk --fido2-device=auto
In order to be used on boot, you will also need to modify /etc/crypttab
adding the extra setting ,fido2-device=auto
This will make the file look something like this
Default Mode
aeon_root UUID=XXXX-XXXX-XXXX-XXXX-XXXX none x-initrd.attach,tpm2-device=auto,fido2-device=auto
Fallback Mode
aeon_root UUID=XXXX-XXXX-XXXX-XXXX-XXXX none x-initrd.attach,fido2-device=auto
Removing credentials
Any encryption credential can be removed by running
sudo systemd-cryptenroll --wipe-slot=$NUM /dev/disk
Where $NUM
is the number of the keyslot identified by
sudo systemd-cryptenroll /dev/disk
The last credential can never be removed.
In Default Mode it would be strongly recommended to wipe the TPM 2.0 keyslot before the last Recovery Key, as a Passphrase or Recovery Key is required to enrol new credentials.
Designating New Recovery Keys
Recovery Keys do not have to be the computer generated passphrases as created during Installation or with systemd-cryptenroll --recovery-key
Any Passphrase or FIDO2 Key Slot can also be designated as a recovery key
echo '{"type":"systemd-recovery","keyslots":["$NUM"]}' | sudo /usr/sbin/cryptsetup token import /dev/disk
Where $NUM
is the number of the keyslot desired to be used as a recovery key
This allows for advanced use cases like using a hardware FIDO2 key as a Recovery Key to avoid needing to type a long passphrase in the event of boot chain security not being validated