You are not logged in.

#1 2012-09-10 07:58:08

kajman
Member
Registered: 2011-06-18
Posts: 21

GRUB2 with full disk encryption (including /boot) using LUKS possible?

Hi,

I'm reinstalling my system to fully incorporate btrfs snapshotting possibilities, including kernel rollback. As far as I now it is already possible to boot from grub2 without a separate /boot partition.

Unfortunately all my attempts fail when I put LUKS (or LUKS + LVM) on my whole disk (excluding a 2MB GPT partition). I've tried few possibilities (btrfs on LUKS, ext4 on LUKS, btrfs on LVM on LUKS) but they all failed with a message during grub-install:

'/boot/grub' is not readable by GRUB on boot

I've succeded only when I've created btrfs partition directly on /dev/sda2.

What am I doing wrong - is it even possible with LUKS? I've tried to find some answers, but there's very little info on this topic.

Cheers,
kajman

Offline

#2 2012-09-10 09:06:06

DSpider
Member
From: Romania
Registered: 2009-08-23
Posts: 2,273

Re: GRUB2 with full disk encryption (including /boot) using LUKS possible?

The /boot partition needs to be unencrypted. If you want "full" disk encryption (the BIOS isn't encrypted, lol), you will have to install a bootloader on a USB stick (call it USB "key", if you will) or on a CD/DVD, and set it up to chainload the one from the encrypted partition. Of course, if you lose this "key" or the disc gets too many scratches, you will end up with an unbootable machine and lose all your data. Make sure you have duplicates - and not "under-the-mat" laying around the computer, else it would defeat the purpose.

Last edited by DSpider (2012-09-10 09:25:07)


"How to Succeed with Linux"

I have made a personal commitment not to reply in topics that start with a lowercase letter. Proper grammar and punctuation is a sign of respect, and if you do not show any, you will NOT receive any help (at least not from me).

Offline

#3 2012-09-10 09:48:49

kajman
Member
Registered: 2011-06-18
Posts: 21

Re: GRUB2 with full disk encryption (including /boot) using LUKS possible?

I think it can be done. This guy apparently did it, as he describes in this (a little outdated) article:

http://xercestech.com/full-system-encry … linux.geek

I think it maybe possible after putting some LUKS and LVM modules in core.img which will be placed on GPT partition, but the rest (kernel and so on) can be located in encrypted /boot on same partition as / .

I'm not sure how to do it though, because grub-install fails. Can a customized core.img help in installing grub?

Also, doing as you describe will defeat the main purpose of keeping /boot on the same partition as / with btrfs (full rollback possibilities).

Last edited by kajman (2012-09-10 09:50:21)

Offline

#4 2012-09-11 11:59:19

kajman
Member
Registered: 2011-06-18
Posts: 21

Re: GRUB2 with full disk encryption (including /boot) using LUKS possible?

It's really hard for me to believe that I'm the only one wanting this - is it so unnecessary or so hard, that no one has experience with such a configuration?

Both full system encryption and full system (including kernel) rollback support are important features to have. So I don't get it.

If anyone has any experience or advice I'll be very happy to get some suggestions or ideas. I'll post if I'll find anything on my own.

Offline

Board footer

Powered by FluxBB