Web lists-archives.com

Re: GRUB and boot partition

Le 26/12/2017 à 02:47, microsoft gaofei a écrit :
ArchWiki has carried an introduction of GRUB , it offers a feature to decrypt your partitions and you don't need to separate /boot . Debian also uses GRUB as its boot loader ,but Debian still separates /boot partition and leave it unencrypted

Indeed the Debian installer does not allow an encrypted /boot partition. IMO it should be treated as a (strong) warning, not as a blocking error.

You can still manage to have /boot encrypted on Debian with extra manual steps. The Debian 8 installer had a flaw that could be exploited : it did not detect when /boot was an LVM logical volume in an encrypted PV. But this trick does not seem to work any more with the Debian 9 installer.

Note however that in any case, the early part of GRUB cannot be encrypted. It is that part which asks for the passphrase. If you use encryption only for confidentiality (in case of loss or theft of the computer), it probably does not matter that /boot is not encrypted, because it usually does not contain any sensitive data. But if you use encryption for tamper-proof, then encrypting /boot is not enough, because someone with physical access to the computer could tamper with the unencrypted part of GRUB and modify it to install a keylogger, rootkit...