Re: GRUB and boot partition
- Date: Tue, 26 Dec 2017 10:42:46 +0100
- From: Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>
- Subject: Re: GRUB and boot partition
Le 26/12/2017 à 02:47, microsoft gaofei a écrit :
ArchWiki has carried an introduction of GRUB , it offers a feature to decrypt your partitions and you don't need to separate /boot . Debian also uses GRUB as its boot loader ,but Debian still separates /boot partition and leave it unencrypted
Indeed the Debian installer does not allow an encrypted /boot partition.
IMO it should be treated as a (strong) warning, not as a blocking error.
You can still manage to have /boot encrypted on Debian with extra manual
steps. The Debian 8 installer had a flaw that could be exploited : it
did not detect when /boot was an LVM logical volume in an encrypted PV.
But this trick does not seem to work any more with the Debian 9 installer.
Note however that in any case, the early part of GRUB cannot be
encrypted. It is that part which asks for the passphrase. If you use
encryption only for confidentiality (in case of loss or theft of the
computer), it probably does not matter that /boot is not encrypted,
because it usually does not contain any sensitive data. But if you use
encryption for tamper-proof, then encrypting /boot is not enough,
because someone with physical access to the computer could tamper with
the unencrypted part of GRUB and modify it to install a keylogger,