📱 Erkannter Endgerättyp ⛱️ Tag und Nacht. Verbraucht keinen oder einen 🍪. 🖼️ Hintergrund ändern. Verbraucht keinen oder einen 🍪.
🧬 0 Ihre DNS in den Krei.se-DNS-Servern, führt zum Bio-Labor 🍪 1 Anzahl Ihrer gespeicherten Kekse, führt zur Keksdose       
 

Libreboot Full-Disk-Encryption

Install Debian

Sane for 1-drive devices: luksed partition on nvme --> lvm

crypto the whole nvme

inside crypto --> create lvm group name grubcrypt

create 1 or 2 lvm volumes / and /boot - volume names rootvol and bootvol

install normally with no swap.

ignore the bootloader installation error and drop to terminal

mount /dev/mapper/grubcrypt-rootvol /mnt
mount /dev/mapper/grubcrypt-bootbol  /mnt/boot
for dir in /dev /proc /sys /run; do mount --bind $dir /mnt$dir; done
chroot /mnt

there run 

update-initramfs -u
update-grub

config should be fine in /boot/grub/grub.cfg

exit the chroot shell and finish installation.

Alternative: lvm container --> luksed root

You can also just create lvm groups on the drive and encrypt each of them (works if you only want /root)

Fix CBFS GRUB

the current libreboot grub wont decrypt this and chainload the cfg (why i have no idea)

you can create a custom bootentry or manually do:

c drop to command line

// will find the encrypted volume instantly
cryptomount -a 

//now set root=(crpyto0)

root=(crypto0)

//then chainload the grub.cfg

// you need to specify the lvm-path correctly if the luks-container has lvm:
configfile (lvm/grubcrypt-rootvol)/boot/grub/grub.cfg

// or if bootvol is used
configfile (lvm/grubcrypt-bootvol)/grub/grub.cfg

// if you are already in lvm
configfile /boot/grub/grub.cfg

Final

If you got the FDE to work you can put these commands in a grub entry and be done with it - it will still have to ask the passphrase twice though.

Further

entry to boot static named lvm

Its technically viable to use a volume group named static grubcrypt and have this work ootb. Also volumes spanning devices is doable with grub. rootvol on nvme + ssd => complex but works.

prevent second password prompt

See https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html on how to handle the second password prompt if you dont like it.

boot with a usb-keychain attached to skip first prompt (AI, needs testing)

Can GRUB read keyfiles from USB?

    GRUB can access USB devices at boot, assuming the right modules (usb, usbms, part_msdos or part_gpt, luks, etc.) are loaded.

    You can configure GRUB to load a keyfile from a USB device and use it to decrypt a LUKS volume via the cryptomount command with the keyfile= option.

    This setup is less common and a bit tricky because:

        GRUB needs to detect the USB device early and find the keyfile.

        The USB stick needs a known device path or UUID that GRUB can reliably identify.

        You might need a custom grub.cfg entry that uses cryptomount with a keyfile parameter pointing to the USB’s partition and keyfile location.

Example snippet inside GRUB (conceptually):

insmod usb
insmod usbms
insmod part_gpt
insmod luks

# Search for USB device with known UUID
search --fs-uuid --set=usbkey ABCD-1234

cryptomount -u <LUKS-UUID> --key-file=(usbkey)/path/to/keyfile

If the USB is not plugged in, GRUB will fail to unlock, so the root volume stays locked — exactly your goal.

replacement grub.cfg for CBFS for vanilla libreboot (will override default!! starts automatically!!)

insmod at_keyboard
insmod usb_keyboard
insmod nativedisk
insmod xhci
insmod ehci
insmod ohci
insmod uhci
insmod usb
insmod usbms
insmod regexp

insmod lvm
insmod luks
insmod cryptodisk

terminal_input --append at_keyboard
terminal_input --append usb_keyboard
terminal_output --append cbmemc

# User interface overrides wherever "keystatus" is supported
# Keep SHIFT key pressed before powering on to disable graphics
if keystatus --shift; then
    terminal_output --append vga_text
else
    gfxpayload=keep
    terminal_output --append gfxterm

    for dt in cbfsdisk memdisk; do
        for it in png jpg; do
            if [ -f (${dt})/background.${it} ]; then
                insmod ${it}
                background_image (${dt})/background.${it}
            fi
        done
    done
fi

# Keep CTRL pressed to enable default serial terminal (COM1 or the like)
if keystatus --ctrl; then
    serial
    terminal_input --append serial
    terminal_output --append serial
fi

# Keep ALT pressed to enable spkmodem
if keystatus --alt; then
    terminal_output --append spkmodem
fi

if [ -f (cbfsdisk)/keymap.gkb ]; then
    keymap (cbfsdisk)/keymap.gkb
fi

set timeout=5
set default=0

# Don't lecture me on set root= it will NOT work. Use the full path

menuentry "Boot: cryptomount all -> LVM root -> /boot/grub/grub.cfg" {
    cryptomount -a
    configfile (lvm/grubcrypt-rootvol)/boot/grub/grub.cfg
}

menuentry "Boot: cryptomount all -> LVM boot -> /grub/grub.cfg" {
    cryptomount -a
    configfile (lvm/grubcrypt-bootvol)/grub/grub.cfg
}

menuentry "Boot: LVM -> decrypt root volume -> /boot/grub/grub.cfg" {
    cryptomount (lvm/grubcrypt-root)
    configfile (crypto0)/boot/grub/grub.cfg
}

# Notice this will just loop back sadly

menuentry 'Libreboot default menu [l]' --hotkey='l' {
    configfile (memdisk)/boot/grub/grub.cfg
}