Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

ZeroLinux · 2013-03-25 09:32:36

Is it possible to use Linux Kernel EFISTUB along with LUKS encryption of the root partition?

srs5694 · 2013-03-25 16:49:35

In theory, yes. The kernel itself will have to be on an unencrypted filesystem, though, such as on the ESP or a separate unencrypted /boot partition. (The two could be one and the same.) That said, I've never tried such a configuration, so I can't guarantee that you won't run into a problem I don't know about.

jasonwryan · 2013-03-25 17:04:19

In practice, yes.

ZeroLinux · 2013-03-25 17:26:22

What size for ESP you would recommend (to fit standard kernel and some extra space)? (I use ESP to have dual-boot with Win8)

Last edited by ZeroLinux (2013-03-25 17:27:54)

jasonwryan · 2013-03-25 17:55:22

For dual boot, I have no idea. I don't use Windows so I don't know how much space you need for that. I used 200MB for my ESP.

There is a good discussion here that includes stuff about necessary size:
https://bbs.archlinux.org/viewtopic.php … 6#p1241016

srs5694 · 2013-03-26 01:06:29

Most boot loaders and boot managers are quite small -- a few KiB to a couple of MiB. If you're putting your Linux kernels on the ESP, they'll consume the lion's share of the space.

Some people have reported problems with sub-512MiB FAT32 filesystems on EFI-based computers. The EFI spec is explicit in saying that the ESP should be FAT32, although as a practical matter FAT16 usually works. To play it safe, therefore, it seems that the ESP should be 512MiB or larger and FAT32.

cfr · 2013-03-26 02:54:54

In practice, also yes.

Except right now, it doesn't work for me. But that has nothing to do with the combination with LUKS.

ZeroLinux · 2013-03-27 04:14:54

Do I need additional separated unencrypted partition for /boot additionally to ESP (FAT32) partition (for ESP to be mounted correctly to /boot/EFI during boot)?

WonderWoofy · 2013-03-27 04:33:30

If yuo are okay with keeping your kernels and initrds on the ESP, which is required with efistub unless you are using refind, then you can use the ESP as your /boot. Though even if you have a separate /boot or even just mount to /boot/efi, it is still not necessary as long as the files needed by the bootloader are available to it.

Think of it this way. You need an area that is not encrypted for the bootloader/firmware to find the kernel (at least), right? This is so the kernel can be loaded. Then you have to have the necessary modules and startup scripts to be able to a) read the block devices b) decrypt the device and c) read the filesystem in order to run /sbin/init. This is what the initrd does. So with those the things you need to be available to the bootloader (and in this case the kernel is the bootloader) in order to boot an encrypted partition.

Arch Linux

#1 2013-03-25 09:32:36

Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

#2 2013-03-25 16:49:35

Re: Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

#3 2013-03-25 17:04:19

Re: Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

#4 2013-03-25 17:26:22

Re: Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

#5 2013-03-25 17:55:22

Re: Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

#6 2013-03-26 01:06:29

Re: Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

#7 2013-03-26 02:54:54

Re: Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

#8 2013-03-27 04:14:54

Re: Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

#9 2013-03-27 04:33:30

Re: Linux Kernel EFISTUB + LUKS encryption / (root partition). Possible?

Board footer