Web lists-archives.com

Re: Possible for full-disk encryption to encrypt /boot as well?




Le 26/05/2018 à 02:33, Robert Dodier a écrit :
On Fri, May 25, 2018 at 12:44 PM, Pascal Hambourg
<pascal@xxxxxxxxxxxxxxx> wrote:

Why do you want an encrypted /boot ? It does not usually contain any
sensitive information. Encrypted /boot is not tamper-proof unless extra
steps are taken to protect the first stage boot such as booting from
write-protected, authenticated or removable media.

Thanks for your reply. I am working for an organization which requires
computers to be full disk encrypted. They support Windows, but if I
want to run Linux, I'm on my own. So to be precise I need something
which is strictly comparable to whatever is provided by Symantec full
disk encryption for Windows. If I can achieve that, I'll be in
business.

I don't know how Symantec's "full" disk encryption works, but AFAIK a boot disk cannot be fully encrypted, unless the platform firmware can handle the encryption format. IIUC Coreboot or Libreboot may do it. Otherwise the bootstrap code must not be encrypted so that the platform firmware can load and run it. Even if /boot is encrypted, the first stage of the boot loader (GRUB boot image and core image if using BIOS/legacy boot, the EFI partition if using EFI boot) cannot not be encrypted.