Web lists-archives.com

Re: Possible for full-disk encryption to encrypt /boot as well?




Le 25/05/2018 à 20:55, Robert Dodier a écrit :

I'm working with Debian 9. I gather that there is a full-disk
encryption option for the standard Debian installer, which, as I
understand it, does not include encrypting /boot. (The system I'm
working on wasn't encrypted when it was installed, so the system would
have to be reinstalled, that's OK.)

The only description of encrypting /boot that I was able to find is:
https://gist.github.com/ppmathis/ccfbfce86484dc61834c1f17568d7b80
I wonder if there is any simpler approach.

Is it possible that, perhaps, other Linux distributions have an option
for encrypting /boot? I wasn't able to find any information about
that.

I have managed to use the standard Debian installer to install with encrypted /boot (either including or excluding /boot/grub) but it was far from straightforward. I had to perform some steps with the embedded shell. Also, the installer insists that /boot should not be encrypted. Jessie's installer was quite easy to trick (just put /boot on LVM on encrypted volume). But the trick did not work with Stretch's installer, so I had to create a dummy /boot.

It's OK if the answer to these questions is no, I'm just trying to
sort out the feasibility of encrypting /boot.

Why do you want an encrypted /boot ? It does not usually contain any sensitive information. Encrypted /boot is not tamper-proof unless extra steps are taken to protect the first stage boot such as booting from write-protected, authenticated or removable media.