Encrypt boot partition

Anykeyer · 2024-04-02 15:48:16

I've read the following articles: Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB) and GRUB#Encrypted_/boot, but still does not understand how do I encrypt boot partition.
As I understand, maybe not correctly, in wiki under consideration is the case, where /boot is kept in the same partition as /root. However I (want) have following partition table:

    NAME                   MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
    vda                    254:0    0    30G  0 disk  
      vda1                 254:1    0    32M  0 part  
      vda2                 254:2    0     1G  0 part  /boot
      vda3                 254:3    0  28.9G  0 part  
        cryptlvm           253:0    0  28.9G  0 crypt 
          VolumeGroup-swap 253:1    0     2G  0 lvm   [SWAP]
          VolumeGroup-root 253:2    0    10G  0 lvm   /
          VolumeGroup-home 253:3    0    16G  0 lvm   /home

And

    Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: gpt
    Disk identifier: DB041119-140C-4417-A9B3-9842660890EA
    
    Device       Start      End  Sectors  Size Type
    /dev/vda1     2048   264191   262144   32M BIOS boot
    /dev/vda2   264192  2361343  2097152    1G EFI System
    /dev/vda3  2361344 62912511 60551168 28.9G Linux filesystem

First of all, what for is partition /dev/vda1? Is it for storing directly the bootloader (GRUB)?

Secondly, can I encrypt the /boot partition after the system installed?

Thirdly, but mainly, how to do it? Is it done like it is done with the /root partition? Or special approach is needed?

I tried the following scheme (after installing the system):

    cryptsetup luksFormat /dev/vda2
    cryptsetup open /dev/vda2 cryptboot
    pvcreate /dev/mapper/cryptboot
    vgcreate BootVol /dev/mapper/cryptboot
    lvcreate -l 100%FREE BootVol -n boot
    mkfs.ext4 /dev/BootVol/boot
    mount --mkdir /dev/BootVol/boot /boot
    
    grub-install /dev/vda
    grub-mkconfig -o /boot/grub/grub.cfg
    pacman -S linux
    mkinitcpio -P
    # Added
    # cryptdevice=UUID=*device-UUID*:cryptboot boot=/dev/BootVol/boot
    # to /etc/default/grub to GRUB_CMDLINE_LINUX_DEFAULT
    grub-install /dev/vda
    grub-mkconfig -o /boot/grub/grub.cfg
    genfstab / > /etc/fstab

But it does not work, after loading GRUB cannot load smth...

P.S. The /root partition encryption works great.
P.S.S. I have BIOS

Last edited by Anykeyer (2024-04-02 15:52:08)

Scimmia · 2024-04-02 16:01:57

Anykeyer wrote:

However I (want) have following partition table:

Why?

Anykeyer · 2024-04-02 16:04:27

Scimmia wrote:

Why?

Do you mean that having /boot in the same partition as /root is better in this case?

dodo3773 · 2024-04-03 03:19:20

When you boot a livecd/usb and run "ls /sys/firmware/efi/efivars" does it output efi variables or is this an mbr system? Assuming /dev/vda because this is a virtual machine? If you didn't specify efi in the virtualization software it is probably an mbr/bios system, in which case you should not need any efi stuff as far as I know. You can have a seperate /boot partition if you want to, it doesn't really matter (I don't use one). According to the wiki the grub install for mbr should be:

grub-install --target=i386-pc /dev/sdX

Where, in your case /dev/vda would be used. See here for mbr:
https://wiki.archlinux.org/title/GRUB#M … structions

This could be what is messing you up. If I remember correctly all you need for mbr is mbr -> cryptroot (at least this used to be the case, been a long time).

Arch Linux

#1 2024-04-02 15:48:16

Encrypt boot partition

#2 2024-04-02 16:01:57

Re: Encrypt boot partition

#3 2024-04-02 16:04:27

Re: Encrypt boot partition

#4 2024-04-03 03:19:20

Re: Encrypt boot partition

Board footer