You are not logged in.
- Topics: Active | Unanswered
#1 2017-12-24 14:06:26
- rcorre
- Member
- Registered: 2015-11-27
- Posts: 65
[SOLVED] Single passphrase input for encrypted boot with grub and EFI
I've followed all the sections to set up an Encrypted boot partition.
I have to input my passphrase twice during boot: once for GRUB, and once to decrypt /dev/nvme0n1p3 (my root partition). How can I configure my system so I only need to input it once?
I've followed the section on Configuring fstab and crypttab to set up a keyfile for /boot, yet it mentions nothing about automatically decrypting your root. Do I need a second keyfile, stored in /boot, so GRUB can unlock /? I think I must be misunderstanding how this is supposed to work.
Here's my partition layout:
- nvme0n1
- nvme0n1p1 /boot/efi
- nvme0n1p2
- cryptboot /boot
- nvme0n1p3
- lvm
- rootvol-swap [SWAP]
- rootvol-root //etc/crypttab
cryptboot /dev/nvme0n1p2 /etc/bootkeyfile luks/etc/fstab (last two columns omitted because I'm copying manually)
UUID=[uuid of /dev/mapper/rootvol-root] / ext4
UUID=[uuid of /dev/mapper/cryptboot] /boot ext2
UUID=[uuid of /dev/nvme0n1p1] /boot/efi vfat
UUID=[uuid of /dev/mapper/rootvol-swap] none swap/etc/default/grub
...
GRUB_CMDLINE_LINUX="cryptdevice=UUID=[uuid of /dev/mapper/rootvol-root]:lvm"
GRUB_ENABLE_CRYPTODISK=y
...Also, if you don't mind my asking a side question, the aforementioned wiki section ends with this "optional post-installation step":
If you want to encrypt the /boot partition to protect against offline tampering threats, the mkinitcpio-chkcryptoboot hook has been contributed to help.
Wasn't the whole point of all the steps I just followed to do exactly that?
Last edited by rcorre (2017-12-25 13:22:48)
Offline
#2 2017-12-24 14:27:29
- frostschutz
- Member
- Registered: 2013-11-15
- Posts: 1,418
Re: [SOLVED] Single passphrase input for encrypted boot with grub and EFI
You would need a keyfile for / in your initramfs. That way, GRUB decrypts the /boot partition (using the passphrase you provide), loads kernel and initramfs from the boot partition. The kernel boots, unpacks the initramfs, and at this time GRUB is gone, so whatever knowledge GRUB had about decryption is gone too, i.e. /boot is locked at this point. There is only the kernel and the initramfs, nothing else, so your keyfile has to be already part of the initramfs, or you have to type another passphrase.
As for how to get the keyfile into the initramfs, that's on the wiki page you linked as well ("""In order for GRUB to open the LUKS partition without having the user enter his passphrase twice, we will use a keyfile embedded in the initramfs.""") I have not tested it myself.
This is my personal opinion, but in regards to offline tampering, encrypting /boot is more obfuscation than real security improvement. If someone is able to tamper with your /boot, they're likely also able to tamper with your GRUB. And either way is vulnerable to a $5 keylogger, so no tampering required in the first place.
My /boot is an (unencrypted) USB stick, with encrypted keyfile in initramfs, so the passphrase I type has no relation whatsoever to the passphrase needed to unlock my partitions. You can pull the USB stick as soon as the kernel starts booting. With /boot physically removed how do you tamper with it? You'd not only need a keylogger but also a device that logs all USB traffic / copies the entire stick.
Offline
#3 2017-12-24 16:40:03
- rcorre
- Member
- Registered: 2015-11-27
- Posts: 65
Re: [SOLVED] Single passphrase input for encrypted boot with grub and EFI
As for how to get the keyfile into the initramfs, that's on the wiki page you linked as well ("""In order for GRUB to open the LUKS partition without having the user enter his passphrase twice, we will use a keyfile embedded in the initramfs.""")
That's from section 8 (Btrfs subvolumes with swap). I was attempting section 7 (Encrypted boot partition (GRUB)). The way the article reads, it sounds like each section is a separate approach. Nonetheless, it does sound right ... should that be part of section 7 as well? Section 7 has a "Configuring mkinitcpio" section but it only mentions hooks, nothing about an embedded keyfile.
This is my personal opinion, but in regards to offline tampering, encrypting /boot is more obfuscation than real security improvement. If someone is able to tamper with your /boot, they're likely also able to tamper with your GRUB
I was hoping that encrypting /boot would prevent tampering. Sure, someone could replace /boot entirely, but then it wouldn't have the keyfile to open my root partition, and I'd at least have a hint that something is awry.
Anyways, thanks for the input! Right now I'm between trying to set up an initramfs-embedded keyfile or just going the simpler route of an encrypted / and unencrypted /boot, if encrypting the latter really offers only the illusion of security.
Offline
#4 2017-12-25 13:22:14
- rcorre
- Member
- Registered: 2015-11-27
- Posts: 65
Re: [SOLVED] Single passphrase input for encrypted boot with grub and EFI
Yup, turns out a keyfile embedded in the initramfs was the answer. Thanks!
Offline