Re: Possible for full-disk encryption to encrypt /boot as well?
- Date: Fri, 25 May 2018 21:44:44 +0200
- From: Pascal Hambourg <pascal@xxxxxxxxxxxxxxx>
- Subject: Re: Possible for full-disk encryption to encrypt /boot as well?
Le 25/05/2018 à 20:55, Robert Dodier a écrit :
I'm working with Debian 9. I gather that there is a full-disk
encryption option for the standard Debian installer, which, as I
understand it, does not include encrypting /boot. (The system I'm
working on wasn't encrypted when it was installed, so the system would
have to be reinstalled, that's OK.)
The only description of encrypting /boot that I was able to find is:
I wonder if there is any simpler approach.
Is it possible that, perhaps, other Linux distributions have an option
for encrypting /boot? I wasn't able to find any information about
I have managed to use the standard Debian installer to install with
encrypted /boot (either including or excluding /boot/grub) but it was
far from straightforward. I had to perform some steps with the embedded
shell. Also, the installer insists that /boot should not be encrypted.
Jessie's installer was quite easy to trick (just put /boot on LVM on
encrypted volume). But the trick did not work with Stretch's installer,
so I had to create a dummy /boot.
It's OK if the answer to these questions is no, I'm just trying to
sort out the feasibility of encrypting /boot.
Why do you want an encrypted /boot ? It does not usually contain any
sensitive information. Encrypted /boot is not tamper-proof unless extra
steps are taken to protect the first stage boot such as booting from
write-protected, authenticated or removable media.