dm-crypt/特記事項
Dm-crypt に戻る。
目次
暗号化されていない boot パーティションのセキュア化
たとえ root を暗号化したとしても、/boot
パーティションと Master Boot Record はディスクの中で暗号化されてない状態で残ります。この2つを暗号化するのは基本的に不可能です。ブートローダーと BIOS が dm-crypt コンテナの暗号化を解除してブートプロセスを続行することが出来なくなってしまいます。例外は GRUB で、LUKS で暗号化した /boot
を復号する機能が存在します。GRUB を見て下さい。
リムーバルデバイスから起動
Using a separate device to boot a system is a fairly straightforward procedure, and offers a significant security improvement against some kinds of attacks. Two vulnerable parts of a system employing an encrypted root filesystem are
- the Master Boot Record, and
- the
/boot
partition.
These must be stored unencrypted in order for the system to boot. In order to protect these from tampering, it is advisable to store them on a removable medium, such as a USB drive, and boot from that drive instead of the hard disk. As long as you keep the drive with you at all times, you can be certain that those components have not been tampered with, making authentication far more secure when unlocking your system.
既にシステム設定を終えていて専用のパーティションを /boot
にマウントしていることが前提です。まだ設定していない場合、dm-crypt/システム設定#ブートローダーの手順に従ってください。リムーバルメディアはハードディスクで置き換えて下さい。
Prepare the removable drive (/dev/sdx
).
# gdisk /dev/sdx #format if necessary. Alternatively, cgdisk, fdisk, cfdisk, gparted... # mkfs.ext2 /dev/sdx1 # mount /dev/sdx1 /mnt
Copy your existing /boot
contents to the new one.
# cp -R -i -d /boot/* /mnt
Mount the new partition. Do not forget to update your fstab file accordingly.
# umount /boot # umount /mnt # mount /dev/sdx1 /boot # genfstab -p -U / > /etc/fstab
Update GRUB. grub-mkconfig
should detect the new partition UUID automatically, but custom menu entries may need to be updated manually.
# grub-mkconfig -o /boot/grub/grub.cfg # grub-install /dev/sdx #install to the removable device, not the hard disk.
Reboot and test the new configuration. Remember to set your device boot order accordingly in your BIOS or UEFI. If the system fails to boot, you should still be able to boot from the hard drive in order to correct the problem.
chkboot
Referring to an article from the ct-magazine (Issue 3/12, page 146, 01.16.2012, [2]) the following script checks files under /boot
for changes of SHA-1 hash, inode, and occupied blocks on the hard drive. It also checks the Master Boot Record. The script cannot prevent certain type of attacks, but a lot are made harder. No configuration of the script itself is stored in unencrypted /boot
. With a locked/powered-off encrypted system, this makes it harder for some attackers because it is not apparent that an automatic checksum comparison of the partition is done upon boot. However, an attacker who anticipates these precautions can manipulate the firmware to run his own code on top of your kernel and intercept file system access, e.g. to boot
, and present the untampered files. Generally, no security measures below the level of the firmware are able to guarantee trust and tamper evidence.
インストールスクリプトが 存在します (Author: Juergen Schmidt, ju at heisec.de; License: GPLv2)。また、chkbootAUR パッケージでインストールすることもできます。
インストールしたらサービスファイル (パッケージに含まれています) を追加して有効化してください:
[Unit] Description=Check that boot is what we want Requires=basic.target After=basic.target [Service] Type=oneshot ExecStart=/usr/local/bin/chkboot.sh [Install] WantedBy=multi-user.target
There is a small caveat for systemd: At the time of writing, the original chkboot.sh
script provided contains an empty space at the beginning of #!/bin/bash
which has to be removed for the service to start successfully.
As /usr/local/bin/chkboot_user.sh
need to be excuted after login, add it to the autostart (e.g. under KDE -> System Settings -> Startup and Shutdown -> Autostart; GNOME 3: gnome-session-properties).
With Arch Linux, changes to /boot
are pretty frequent, for example by new kernels rolling-in. Therefore it may be helpful to use the scripts with every full system update. One way to do so:
#!/bin/bash # # Note: Insert your <user> and execute it with sudo for pacman & chkboot to work automagically # echo "Pacman update [1] Quickcheck before updating" & sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user> /usr/local/bin/chkboot.sh sync # sync disks with any results sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user> echo "Pacman update [2] Syncing repos for pacman" pacman -Syu /usr/local/bin/chkboot.sh sync sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user> echo "Pacman update [3] All done, let us roll on ..."
mkinitcpio-chkcryptoboot
mkinitcpio-chkcryptobootAUR は初期ユーザー空間で整合性チェックを行ってシステムのセキュリティが破られている場合に root パーティションのパスワードを入力しないようにユーザーに忠告する mkinitcpio フックです。ブートパーティションを暗号化することでセキュリティを確保し、GRUB の cryptodisk.mod
モジュールでロックを解除します。root ファイルシステムのパーティションは別のパスワードを使って暗号化します。これなら、オフラインの改竄からも initramfs やカーネルを守ることができ、たとえマシンに侵入されて /boot
パーティションのパスワードが入力されても root パーティションは安全です (chkcryptoboot フックが改竄を検出して、フック自体が改竄されていない場合)。
This hook requires GRUB release >=2.00 to function, and a dedicated, LUKS encrypted /boot
partition with its own password in order to be secure.
インストール
mkinitcpio-chkcryptobootAUR をインストールして /etc/default/chkcryptoboot.conf
を編集します。If you want the ability of detecting if your boot partition was bypassed, edit the CMDLINE_NAME
and CMDLINE_VALUE
variables, with values known only to you. You can follow the advice of using two hashes as is suggested right after the installation. Also, be sure to make the appropriate changes to the kernel command line in /etc/default/grub
. Edit the HOOKS=
line in /etc/mkinitcpio.conf
, and insert the chkcryptoboot
hook before encrypt
. When finished, rebuild the initramfs.
技術的な概要
mkinitcpio-chkcryptobootAUR consists of an install hook and a run-time hook for mkinitcpio. The install hook runs every time the initramfs is rebuilt, and hashes the GRUB EFI stub ($esp/EFI/grub_uefi/grubx64.efi
) (in the case of UEFI systems) or the first 446 bytes of the disk on which GRUB is installed (in the case of BIOS systems), and stores that hash inside the initramfs located inside the encrypted /boot
partition. When the system is booted, GRUB prompts for the /boot
password, then the run-time hook performs the same hashing operation and compares the resulting hashes before prompting for the root partition password. If they do not match, the hook will print an error like this:
CHKCRYPTOBOOT ALERT! CHANGES HAVE BEEN DETECTED IN YOUR BOOT LOADER EFISTUB! YOU ARE STRONGLY ADVISED NOT TO ENTER YOUR ROOT CONTAINER PASSWORD! Please type uppercase yes to continue:
In addition to hashing the boot loader, the hook also checks the parameters of the running kernel against those configured in /etc/default/chkcryptoboot.conf
. This is checked both at run-time and after the boot process is done. This allows the hook to detect if GRUB's configuration was not bypassed at run-time and afterwards to detect if the entire /boot
partition was not bypassed.
For BIOS systems the hook creates a hash of GRUB's first stage bootloader (installed to the first 446 bytes of the bootdevice) to compare at the later boot processes. The main second-stage GRUB bootloader core.img
is not checked.
他の方法
Alternatively to above scripts, a hash check can be set up with AIDE which can be customized via a very flexible configuration file.
While one of these methods should serve the purpose for most users, they do not address all security problems associated with the unencrypted /boot
. One approach which endeavours to provide a fully authenticated boot chain was published with POTTS as an academic thesis to implement the STARK authentication framework.
The POTTS proof-of-concept uses Arch Linux as a base distribution and implements a system boot chain with
- POTTS - a boot menu for a one-time authentication message prompt
- TrustedGrub - a GRUB Legacy implementation which authenticates the kernel and initramfs against TPM chip registers
- TRESOR - a kernel patch which implements AES but keeps the master-key not in RAM but in CPU registers during runtime.
As part of the thesis installation instructions based on Arch Linux (ISO as of 2013-01) have been published. If you want to try it, be aware these tools are not in standard repositories and the solution will be time consuming to maintain.
GPG や OpenSSL で暗号化されたキーファイルを使う
The following forum posts give instructions to use two factor authentication, gpg or openssl encrypted keyfiles, instead of a plaintext keyfile described earlier in this wiki article System Encryption using LUKS with GPG encrypted keys:
- GnuPG: Post regarding GPG encrypted keys This post has the generic instructions.
- OpenSSL: Post regarding OpenSSL encrypted keys This post only has the
ssldec
hooks. - OpenSSL: Post regarding OpenSSL salted bf-cbc encrypted keys This post has the
bfkf
initcpio hooks, install, and encrypted keyfile generator scripts. - LUKS: Post regarding LUKS encrypted keys with a
lukskey
initcpio hook.
Note that:
- You can follow the above instructions with only two primary partitions, one boot partition (required because of encryption) and one primary LVM partition. Within the LVM partition you can have as many partitions as you need, but most importantly it should contain at least root, swap, and home logical volume partitions. This has the added benefit of having only one keyfile for all your partitions, and having the ability to hibernate your computer (suspend to disk) where the swap partition is encrypted. If you decide to do so your hooks in
/etc/mkinitcpio.conf
should look like this:HOOKS=" ... usb usbinput (etwo or ssldec) encrypt (if using openssl) lvm2 resume ... "
and you should addresume=/dev/mapper/<VolumeGroupName>-<LVNameOfSwap>
to your カーネルパラメータ. - If you need to temporarily store the unencrypted keyfile somewhere, do not store them on an unencrypted disk. Even better make sure to store them to RAM such as
/dev/shm
. - If you want to use a GPG encrypted keyfile, you need to use a statically compiled GnuPG version 1.4 or you could edit the hooks and use this AUR package gnupg1AUR
- It is possible that an update to OpenSSL could break the custom
ssldec
mentioned in the second forum post.
root などのパーティションのリモート解除
LUKS によって完全に暗号化されたシステムをリモートで再起動したい場合、もしくは Wake-on-LAN サービスを使ってシステムを起動したい場合、起動時に root パーティション/ボリュームのパスフレーズを入力する手段が必要になります。initrd で mkinitcpio の net
フックと SSH サーバーを実行することでこれを実現可能です。dropbear_initrd_encryptAUR パッケージをインストールしてインストール後の指示に従って下さい:
- If you do not have an SSH key pair yet, generate one on the client system (the one which will be used to unlock the remote machine).
- Insert your SSH public key (i.e. the one you usually put onto hosts so that you can ssh in without a password, or the one you just created and which ends with .pub) into the remote machine's
/etc/dropbear/root_key
file using the method of your choice, e.g.:- リモートサーバーに公開鍵をコピー
- then enter the following command (on the remote system):
# cat /home/<user>/.ssh/authorized_keys > /etc/dropbear/root_key
- Add the
dropbear encryptssh
hooks beforefilesystems
within the "HOOKS" array in/etc/mkinitcpio.conf
(or replaceencrypt
with them if it was present). Put thenet
hook early in the HOOKS array if your DHCP server takes a long time to lease IP addresses, and in any case place it before thedropbear encryptssh
hooks (betweenmodconf
andblock
proves functional). Then rebuild the initramfs image. - Configure the required
cryptdevice=
parameter and add theip=
kernel command parameter to your bootloader configuration with the appropriate arguments (see Mkinitcpio#net を使う). For example, if the DHCP server does not attribute a static IP to your remote system, making it difficult to access via SSH accross reboots, you can explicitly state the IP you want to be used:ip=192.168.1.1:::::eth0:none
そしてブートローダーの設定を更新してください。例えば GRUB の場合:# grub-mkconfig -o /boot/grub/grub.cfg
- Finally, restart the remote system and try to ssh to it, explicitly stating the "root" username (even if the root account is disabled on the machine, here it is a special "root" user set by dropbear for the purpose of unlocking the remote system). You may see a warning about host authenticity that you can safely ignore (type yes), then you should be presented with a prompt asking you to enter the passphrase for unlocking the remote root:
$ ssh root@192.168.1.1
Enter passphrase for /dev/sda2: Connection to 192.168.1.1 closed.
Afterwards, the system will complete its boot process and you can ssh to it as you normally would (with the remote user of your choice).
wifi でリモートのロック解除
The net hook is normally used with an ethernet connection. In case you want to setup a computer with wireless only, and unlock it via wifi, you can create a custom hook to connect to a wifi network before the net hook is run.
Below example shows a setup using a usb wifi adapter, connecting to a wifi network protected with WPA2-PSK. In case you use for example WEP or another boot loader, you might need to change some things.
- Modify
/etc/mkinitcpio.conf
:- Add the needed kernel module for your specific wifi adatper.
- Include the
wpa_passphrase
andwpa_supplicant
binaries. - Add a hook
wifi
(or a name of your choice, this is the custom hook that will be created) before thenet
hook.MODULES="module"
BINARIES="wpa_passphrase wpa_supplicant"
HOOKS="base udev autodetect ... wifi net ... dropbear encryptssh ..."
- Create the
wifi
hook in/lib/initcpio/hooks/wifi
:run_hook ()
{
# sleep a couple of seconds so wlan0 is setup by kernel
sleep 5
# set wlan0 to up
ip link set wlan0 up
# assocciate with wifi network
# 1. save temp config file
wpa_passphrase "network ESSID" "pass phrase" > /tmp/wifi
# 2. assocciate
wpa_supplicant -B -D nl80211,wext -i wlan0 -c /tmp/wifi
# sleep a couple of seconds so that wpa_supplicant finishes connecting
sleep 5
# wlan0 should now be connected and ready to be assigned an ip by the net hook
}
run_cleanuphook ()
{
# kill wpa_supplicant running in the background
killall wpa_supplicant
# set wlan0 link down
ip link set wlan0 down
# wlan0 should now be fully disconnected from the wifi network
} - Create the hook installation file in
/lib/initcpio/install/wifi
:build ()
{
add_runscript
}
help ()
{
cat<<HELPEOF
Enables wifi on boot, for dropbear ssh unlocking of disk.
HELPEOF
} ip=:::::wlan0:dhcp
をカーネルパラメータに追加。衝突しないようにip=:::::eth0:dhcp
は削除してください。- Optionally create an additional boot entry with kernel parameter
ip=:::::eth0:dhcp
. - initramfs イメージを再生成。
- ブートローダーの設定を更新。例えば GRUB の場合:
# grub-mkconfig -o /boot/grub/grub.cfg
Remember to setup wifi, so you are able to login once the system is fully booted. In case you are unable to connect to the wifi network, try increasing the sleep times a bit.
ソリッドステートドライブ (SSD) の Discard/TRIM のサポート
Solid state drive users should be aware that by default, Linux's full-drive encryption mechanisms will not forward TRIM commands from the filesystem to the underlying drive. The device-mapper maintainers have made it clear that TRIM support will never be enabled by default on dm-crypt devices because of the potential security implications.[3][4]
Most users will still want to use TRIM on their encrypted SSDs. Minimal data leakage in the form of freed block information, perhaps sufficient to determine the filesystem in use, may occur on devices with TRIM enabled. An illustration and discussion of the issues arising from activating TRIM is available in the blog of a cryptsetup
developer. As a result encryption schemes that rely on plausible deniability should never be used on a device that utilizes TRIM.
In linux 3.1 and up, support for dm-crypt TRIM pass-through can be toggled upon device creation or mount with dmsetup. Support for this option also exists in cryptsetup version 1.4.0 and up. To add support during boot, you will need to add :allow-discards
to the cryptdevice
option. The TRIM option may look like this:
cryptdevice=/dev/sdaX:root:allow-discards
For the main cryptdevice
configuration options before the :allow-discards
see Dm-crypt/システム設定.
Besides the kernel option, it is also required to periodically run fstrim
or mount the filesystem (e.g. /dev/mapper/root
in this example) with the discard
option in /etc/fstab
. For details, please refer to the SSD page. For LUKS devices unlocked manually on the console or via /etc/crypttab
either discard
or allow-discards
may be used.
encrypt フックと複数のディスク
The encrypt
hook only allows for a single cryptdevice=
entry. In system setups with multiple drives this may be limiting, because dm-crypt has no feature to exceed the physical device. For example, take "LVM on LUKS": The entire LVM exists inside a LUKS mapper. This is perfectly fine for a single-drive system, since there is only one device to decrypt. But what happens when you want to increase the size of the LVM? You cannot, at least not without modifying the encrypt
hook.
The following sections briefly show alternatives to overcome the limitation. The first deals with how to expand a LUKS on LVM setup to a new disk. The second with modifying the encrypt
hook to unlock multiple disks in LUKS setups without LVM. The third section then again uses LVM, but modifies the encrypt
hook to unlock the encrypted LVM with a remote LUKS header.
LVM を複数のディスクに拡張
The management of multiple disks is a basic LVM feature and a major reason for its partitioning flexibility. It can also be used with dm-crypt, but only if LVM is employed as the first mapper. In such a LUKS on LVM setup the encrypted devices are created inside the logical volumes (with a separate passphrase/key per volume). The following covers the steps to expand that setup to another disk.
新しいドライブの追加
First, it may be desired to prepare a new disk according to Dm-crypt/ドライブの準備.
Second, it is partitioned as a LVM, e.g. all space is allocated to /dev/sdY1
with partition type "8E00" (Linux LVM).
Third, the new disk/partition is attached to the existing LVM volume group, e.g.:
# pvcreate /dev/sdY1 # vgextend MyStorage /dev/sdY1
論理ボリュームの拡張
For the next step, the final allocation of the new diskspace, the logical volume to be extended has to be unmounted. It can be performed for the cryptdevice
root partition, but in this case the procedure has to be performed from an Arch Install ISO.
In this example, it is assumed that the logical volume for /home
(lv-name homevol
) is going to be expanded with the fresh disk space:
# umount /home # fsck /dev/mapper/home # cryptsetup luksClose /dev/mapper/home # lvextend -l +100%FREE MyStorage/homevol
Now the logical volume is extended and the LUKS container comes next:
# cryptsetup open --type luks /dev/mapper/MyStorage-homevol home # umount /home # as a safety, in case it was automatically remounted # cryptsetup --verbose resize home
Finally, the filesystem itself is resized:
# e2fsck -f /dev/mapper/home # resize2fs /dev/mapper/home
Done! If it went to plan, /home
can be remounted
# mount /dev/mapper/home /home
and now includes the span to the new disk. Note that the cryptsetup resize
action does not affect encryption keys, they have not changed.
複数のパーティションの encrypt フックを修正
複数の root パーティション
It is possible to modify the encrypt hook to allow multiple hard drive decrypt root (/
) at boot. The cryptsetup-multiAUR package may be used for it. An alternative way according to an Arch user (benke):
# cp /usr/lib/initcpio/hooks/encrypt /usr/lib/initcpio/hooks/encrypt2 # cp /usr/lib/initcpio/install/encrypt /usr/lib/initcpio/install/encrypt2 # nano /usr/lib/initcpio/hooks/encrypt2
Change $cryptkey
to $cryptkey2
, and $cryptdevice
to $cryptdevice2
.
Add cryptdevice2=
(e.g. cryptdevice2=/dev/sdb:hdd2
) to your boot options (and cryptkey2=
if needed).
Change the /etc/fstab
flag for root:
/dev/sdb /mnt btrfs device=/dev/sda,device=/dev/sdb, ... 0 0
複数の root 以外のパーティション
Maybe you have a requirement for using the encrypt
hook on a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in /lib/initcpio/hooks/encrypt
(the first one to your /dev/sd*
partition, the second to the name you want to attribute). That should be enough.
The big advantage is you can have everything automated, while setting up /etc/crypttab
with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of /etc/fstab
(at least).
Of course, if the cryptsetup package gets upgraded, you will have to change this script again. Unlike /etc/crypttab
, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.
If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the /dev/mdX
device in /lib/initcpio/hooks/encrypt
is not enough; the encrypt
hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the encrypt
hook is run. You can solve this by putting the RAID array in /boot/grub/menu.lst
, like
kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5
If you set up your root partition as a RAID, you will notice the similarities with that setup ;-). GRUB can handle multiple array definitions just fine:
kernel /boot/vmlinuz-linux root=/dev/md0 ro md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda5,/dev/sdb5,/dev/sdc5
リモート LUKS ヘッダーを使ってシステムを暗号化
This example follows the same setup as in Dm-crypt/システム全体の暗号化#Plain dm-crypt, which should be read first before following this guide.
By using a remote header the encrypted blockdevice itself only carries encrypted data, which gives deniable encryption as long as the existence of a header is unknown to the attackers. It is similar to using plain dm-crypt, but with the LUKS advantages such as multiple passphrases for the masterkey and key derivation. Further, using a remote header offers a form of two factor authentication with an easier setup than using GPG or OpenSSL encrypted keyfiles, while still having a built-in password prompt for multiple retries. See ディスク暗号化#暗号メタデータ for more information.
See dm-crypt/デバイスの暗号化#LUKS モードの暗号化オプション for encryption options before performing the first step to setup the encrypted system partition and creating a header file to use with cryptsetup
:
# truncate -s 2M header.img # cryptsetup luksFormat /dev/sdX --header header.img
Open the container:
# cryptsetup open --header header.img --type luks /dev/sdX enc
Now follow the LVM on LUKS setup to your requirements. The same applies for preparing the boot partition on the removable device (because if not, there is no point in having a separate header file for unlocking the encrypted disk).
Next move the header.img
onto it:
# mv header.img /mnt/boot
Follow the installation procedure up to the mkinitcpio step (you should now be arch-chroot
ed inside the encrypted system).
There are two options for initramfs to support a detached LUKS header.
systemd フックを使う
First create /etc/crypttab.initramfs
and add the encrypted device to it. The syntax is defined in crypttab(5)
/etc/crypttab.initramfs
MyStorage PARTUUID=00000000-0000-0000-0000-000000000000 none header=/boot/header.img
Modify /etc/mkinitcpio.conf
to use systemd and add the header to FILES
.
/etc/mkinitcpio.conf
FILES="/boot/header.img" HOOKS="... systemd ... block sd-encrypt sd-lvm2 filesystems ..."
Recreate the initramfs and you are done.
encrypt フックを修正する
This method shows how to modify the encrypt
hook in order to use a remote LUKS header. Now the encrypt
hook has to be modified to let cryptsetup
use the separate header (base source and idea for these changes published on the BBS). Make a copy so it is not overwritten on a mkinitcpio update:
# cp /lib/initcpio/hooks/encrypt{,2} # cp /usr/lib/initcpio/install/encrypt{,2}
/lib/initcpio/hooks/encrypt2 (around line 52)
warn_deprecated() { echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." } local headerFlag=false for cryptopt in ${cryptoptions//,/ }; do case ${cryptopt} in allow-discards) cryptargs="${cryptargs} --allow-discards" ;; header) cryptargs="${cryptargs} --header /boot/header.img" headerFlag=true ;; *) echo "Encryption option '${cryptopt}' not known, ignoring." >&2 ;; esac done if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then if $headerFlag || cryptsetup isLuks ${resolved} >/dev/null 2>&1; then [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated dopassphrase=1
Now edit the mkinitcpio.conf to add the encrypt2
and lvm2
hooks, the header.img
to FILES
and the loop
to MODULES
, apart from other configuration the system requires:
/etc/mkinitcpio.conf
MODULES="loop" FILES="/boot/header.img" HOOKS="... encrypt2 lvm2 ... filesystems ..."
This is required so the LUKS header is available on boot allowing the decryption of the system, exempting us from a more complicated setup to mount another separate USB device in order to access the header. After this set up the initramfs is created.
Next the boot loader is configured to specify the cryptdevice=
also passing the new header
option for this setup:
cryptdevice=/dev/sdX:enc:header
To finish, following Dm-crypt/システム全体の暗号化#インストール後 is particularly useful with a /boot
partition on an USB storage medium.