You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2016-05-04 01:57:46
- Theaigcaman
- Member
- Registered: 2016-02-25
- Posts: 11
Encrypted /boot directory on UEFI boot
is it possible to encrypt the whole system similar to this: Full disk encryption with LUKS (including /boot) on a UEFI system? And of course, because it is UEFI, you would need a separate /boot partition, so I guess the real question is are there UEFI bootloaders that will decrypt the /boot partition?
Last edited by Theaigcaman (2016-05-04 02:00:13)
Offline
#2 2016-05-04 07:06:26
- aliena
- Member
- Registered: 2015-10-09
- Posts: 29
Re: Encrypted /boot directory on UEFI boot
That does not quite match your question, but my setup is an encrypted root and a single efi file containing the kernel, initramfs and cmdline. That file decrypts the rest of the system on boot. But some very first file must be present unencrypted, otherwise there's no way to decrypt 
Have a look at https://wiki.archlinux.org/index.php/EF … ng_EFISTUB for how to set it up. And to generate a self-contained kernel google for objcopy doing that.
Offline
#3 2016-05-04 07:22:11
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 12,418
Re: Encrypted /boot directory on UEFI boot
Why would you need a separate /boot partition? You need a separate ESP, but it can be mounted wherever. You can use GRUB, which will be able to decrypt whatever partition the kernel an initramfs are on.
Offline
#4 2016-05-04 11:36:53
- seiichiro0185
- Member
- From: Leipzig/Germany
- Registered: 2009-04-09
- Posts: 226
- Website
Re: Encrypted /boot directory on UEFI boot
The setup on the page you (the OP) posted is also possible with UEFI, since grub can be booted with UEFI. you will need an unencrypted ESP for the first stage of GRUB, but can place kernel and initramfs on an encrypted partition (be it a separate /boot or directly on /) I have a setup like this running on my laptop @home (with the addition of ZFS on the encrypted partition).
Last edited by seiichiro0185 (2016-05-04 11:37:32)
My System: Dell XPS 13 | i7-7560U | 16GB RAM | 512GB SSD | FHD Screen | Arch Linux
My Workstation/Server: Supermicro X11SSZ-F | Xeon E3-1245 v6 | 64GB RAM | 1TB SSD Raid 1 + 6TB HDD ZFS Raid Z1 | Proxmox VE
My Stuff at Github: github
My Homepage: Seiichiros HP
Offline
#5 2016-05-10 01:30:56
- wba072
- Member
- Registered: 2010-11-11
- Posts: 33
Re: Encrypted /boot directory on UEFI boot
In addition to what everyone's said, be sure to check out this page if you haven't:
https://wiki.archlinux.org/index.php/Dm … m#Overview
The last example may be what you want (exclude the btrfs-specific parts if you are not using that file system).
Offline
Pages: 1