Web lists-archives.com

Re: Possible for full-disk encryption to encrypt /boot as well?

On Sat 26 May 2018 at 16:51:56 (+0000), Curt wrote:
> On 2018-05-26, Robert Dodier <robert.dodier@xxxxxxxxx> wrote:
> > On Sat, May 26, 2018 at 1:16 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote:
> >
> >> I don't know how Symantec's "full" disk encryption works, but AFAIK a boot
> >> disk cannot be fully encrypted,
> >
> > Yes, this is an important question -- what, exactly, is provided by
> > Symantec here, so that I can look for something to do the same for
> > Linux. But not surprisingly I haven't been able to find a careful
> > description -- so far all I have found is some marketing material. I
> > will keep looking.
> They seem to be saying the boot loader is decrypted prior to the point
> at which it begins execution (a "pre-boot environment" is installed that
> prompts the user for pass phrase, etc.)
>  https://www.symantec.com/content/en/us/enterprise/white_papers/b-pgp_how_wholedisk_encryption_works_WP_21158817.en-us.pdf

which says:

  "A boot sequence executes during the startup process of Microsoft®
  Windows, Apple Mac OS X, or Linux® operating systems. The boot
  system is the initial set of operations that the computer performs
  when it is switched on. A boot loader (or a bootstrap loader) is a
  short computer program that loads the main operating system for the
  computer. The boot loader first looks at a boot record or partition
  table, which is the logical area “zero” (or starting point) of the
  disk drive.

  Whole disk encryption modifies the zero point area of the drive.
  A computer protected with Whole Disk Encryption presents a modified
  “pre-boot” environment (Figure 1) to the user."

To me, that implies that what they call the "boot[strap] loader" is
the unencrypted firmware, and that the "logical area “zero” (or
starting point)" is the MBR. It says that the MBR has been "modified",
but I don't see where it says that the boot loader has been, nor how
any of the early code can have been *encrypted* until enough has been
executed to read and act upon a passphrase.