Arch Linux

SimonT

Member

Registered: 2015-01-26

Posts: 18

Reverting from encrypted /boot (or speeding up booting)

Hey guys! I recently did a fresh install and decided to encrypt my /boot as described in the wiki. I figured it would be an easy way to get some extra security (more encryption = more security). However, it makes my bootup time slower so now I want to go back to having unencrypted /boot. People have asked in the forum  before about speeding up the boot process with this setup (e.g. here and here) but it means lowering the iteration count of the key, which has a cost for security. I'm figuring that if I have to yield security somewhere to gain security somewhere else, there's not much point with this setup. Besides, as I've understood it, encrypted /boot is just supposed to stop someone from tampering with your bootloader when they already have your computer in their hands but in that case you're screwed regardless (Law #3).

So I'd like to go back to just having the rest of the system encrypted. I use this computer daily so my question is: how can I minimize the risk of breaking my system?

This is how I plan to do it:

Comment out "GRUB_ENABLE_CRYPTODISK=y" in /etc/default/grub .

Delete my key-file:

rm -rf /crypto_keyfile.bin

Reformat the partition that has /boot:

mkfs.ext4 /dev/nvme0n1p3

Then I simply do:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=arch_grub --recheck

and

grub-mkconfig -o /boot/grub/grub.cfg

I'm guessing it is a bad idea to try to do this while the partition is mounted so I'll simply remove it from crypttab and then format it after reboot. Or do I have to do all of this from a live-usb using arch-chroot?

Am I missing something else? Do I need to regenerate fstab?

Last edited by SimonT (2018-04-22 11:53:47)

teateawhy

Member

From: GER

Registered: 2012-03-05

Posts: 1,138

Website

Re: Reverting from encrypted /boot (or speeding up booting)

There are usually other files on the /boot directory such as the kernel, you want to back them up and restore them. Just check whatever is there with ls then back it up.

doskoi

Member

Registered: 2016-04-10

Posts: 21

Re: Reverting from encrypted /boot (or speeding up booting)

Don't do it :p
You can make your boot time as fast as the iteration time of your master password without compromising security.
I suppose you have a LUKS slot containing a keyfile (e.g. stored in /crypto_keyfile.bin) to avoid entering your password twice on boot. But you don't need iteration if this keyfile is for example 4096 bits long.

Whenever a passphrase is added to a LUKS header (luksAddKey, luksFormat), the user may specify how much the time the passphrase processing should consume. The time is used to determine the iteration count for PBKDF2 and higher times will offer better protection for low-entropy passphrases, but open will take longer to complete. For passphrases that have entropy higher than the used key length, higher iteration times will not increase security.

Just put this keyfile with 1 ms iteration time (the minimum) in slot 0, then your password with X seconds iteration time in slot 1. When you'll enter your password on GRUB pre-menu prompt, it will test slot 0 and fail immediately, then it will take X seconds to unlock your /boot partition using slot 1. And after, when unlocking your root partition, it will use /crypto_keyfile.bin and slot 0 to unlock it instantly.

SimonT

Member

Registered: 2015-01-26

Posts: 18

Re: Reverting from encrypted /boot (or speeding up booting)

Thank you both for your answers. doskoi's suggestion looks really promising. I will try it and let you know how it goes!

SimonT

Member

Registered: 2015-01-26

Posts: 18

Re: Reverting from encrypted /boot (or speeding up booting)

It worked pretty well. On fresh install, bootup would take 56 second according to systemd-analyze. After having looked into the slow bootup time a little bit I found out that key slots are tried in order so I edited crypttab to go straight to the right key slot when unlocking /boot. That saved me a few seconds. systemd-analyze then showed a bootup time of 48.5 seconds. Following doskoi's advice, I have now got it down to 38.5 seconds. It's not slow but I feel like not everything is optimized. When I try opening either partition with their respective key files they unlock immediately. I tested the time to unlock /boot with passphrase while my computer was up and running and it took 2-3 seconds.

Two interesting things:

1. It seems that I'm using luks2 for the /-partition. luksDump doesn't show number of iterations but instead shows "Time cost" for this partition. I used the --iter-time parameter when changing the keys. I'm guessing it worked as it should since unlocking was so fast in practice when trying it from the running system.

2. The only part of the systemd-analyze that significantly improved after following doskoi's suggestion was the time spent with kernel. It went from 11 to 2 seconds. Time spent with loader remained the same at 28 seconds. Time spent in userspace also improved slightly, going from 3.6 to 2.3 seconds.

Last edited by SimonT (2018-04-21 21:08:53)