You are not logged in.

#1 2016-05-04 01:57:46

Theaigcaman
Member
Registered: 2016-02-25
Posts: 11

Encrypted /boot directory on UEFI boot

is it possible to encrypt the whole system similar to this: Full disk encryption with LUKS (including /boot) on a UEFI system?  And of course, because it is UEFI, you would need a separate /boot partition, so I guess the real question is are there UEFI bootloaders that will decrypt the /boot partition?

Last edited by Theaigcaman (2016-05-04 02:00:13)

Offline

#2 2016-05-04 07:06:26

aliena
Member
Registered: 2015-10-09
Posts: 29

Re: Encrypted /boot directory on UEFI boot

That does not quite match your question, but my setup is an encrypted root and a single efi file containing the kernel, initramfs and cmdline. That file decrypts the rest of the system on boot. But some very first file must be present unencrypted, otherwise there's no way to decrypt wink

Have a look at https://wiki.archlinux.org/index.php/EF … ng_EFISTUB for how to set it up. And to generate a self-contained kernel google for objcopy doing that.

Offline

#3 2016-05-04 07:22:11

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,461

Re: Encrypted /boot directory on UEFI boot

Why would you need a separate /boot partition? You need a separate ESP, but it can be mounted wherever. You can use GRUB, which will be able to decrypt whatever partition the kernel an initramfs are on.

Offline

#4 2016-05-04 11:36:53

seiichiro0185
Member
From: Leipzig/Germany
Registered: 2009-04-09
Posts: 226
Website

Re: Encrypted /boot directory on UEFI boot

The setup on the page you (the OP) posted is also possible with UEFI, since grub can be booted with UEFI. you will need an unencrypted ESP for the first stage of GRUB, but can place kernel and initramfs on an encrypted partition (be it a separate /boot or directly on /) I have a setup like this running on my laptop @home (with the addition of ZFS on the encrypted partition).

Last edited by seiichiro0185 (2016-05-04 11:37:32)


My System: Dell XPS 13 | i7-7560U | 16GB RAM | 512GB SSD | FHD Screen | Arch Linux
My Workstation/Server: Supermicro X11SSZ-F | Xeon E3-1245 v6 | 64GB RAM | 1TB SSD Raid 1 + 6TB HDD ZFS Raid Z1 | Proxmox VE
My Stuff at Github: github
My Homepage: Seiichiros HP

Offline

#5 2016-05-10 01:30:56

wba072
Member
Registered: 2010-11-11
Posts: 33

Re: Encrypted /boot directory on UEFI boot

In addition to what everyone's said, be sure to check out this page if you haven't:

https://wiki.archlinux.org/index.php/Dm … m#Overview

The last example may be what you want (exclude the btrfs-specific parts if you are not using that file system).

Offline

Board footer

Powered by FluxBB