Re: GRUB and boot partition
- Date: Tue, 26 Dec 2017 12:10:52 +0100
- From: Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>
- Subject: Re: GRUB and boot partition
Le 26/12/2017 à 11:36, tomas@xxxxxxxxxx a écrit :
On Tue, Dec 26, 2017 at 10:42:46AM +0100, Pascal Hambourg wrote:
Note however that in any case, the early part of GRUB cannot be
Is there any inherent advantage to having /boot encrypted?
I can imagine a few situations.
- When you can enforce the early stage of GRUB integrity by storing it
on removable or read-only boot media, checking it with trusted
You could extend this to the whole /boot directory contents instead of
encrypting it but parts of it such as the kernel image, initramfs and
grub.cfg change quite often, while GRUB itself seldom changes. An
alternative to /boot encryption is to sign its contents so that GRUB
early stage can check the files when loading them.
- When you need to store sensitive data in /boot, such as passphrases
for other encrypted volumes.