You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2026-05-15 06:28:49
- niko787
- Member
- Registered: 2022-03-10
- Posts: 22
Encrypting installation?
If I want to encrypt my Arch Linux installation, do I need to create a separate unencrypted boot partition? I am reading some conflicting information about this: some say it is needed, and some say it is not, so I am not sure what the correct way is. If there is a separate unencrypted boot partition, doesn't that represent a security concern?
Offline
#2 2026-05-15 07:08:42
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 2,135
Re: Encrypting installation?
given by your previous topics and your overall knowledge and skill I infere from them:
just DON'T - at least not yet for your bare metal system but rather setup a VM you can play around in with the different types
small, incomplete overview:
on modern UEFI systems the ESP (efi system partition) has to be unencrypted FAT32 on a GPT drive - that's what the spec requires and you can only deviate from if and only if the systems firmware supports anything else (very rare unless custom firmware) - so however you boot, bootloader, efi-stub, uki, this has to be unencrypted so the bios can read, load and run it
if you want security the question is: at which point?
to me encrypting a system only makes sense if everything is locked down, even the bios - so you need a password to even POST and boot
the next step is a locked bootloader: the bios itself doesn't request a password but loads the bootloader - the bootloader has a small stub at start and first prompts for a password before continue loading any config; this one can bite you with complex "gaming" keyboards as the bootloader might only load basic drivers insufficient for the keyboard -> you become unable to enter the password and locked out of the bootloader
next is an open bootloader but encrypted kernel and initrd
here you have either the files itself encrypted individual or, more common, on an encryoted partition the bootloader is able to access after unlocking
in this scenario you have to watch out that the bootloaders config is on to esp unencrypted alobg tge bootloader - as otherwise the bootloader doesn't know its config is on an encrypted partition and lacks the modules to decrypt it
the last step is "just" an encrypted root partition: here, everything up to pivot_root is accessible - which usually is ok as the kernel comes from the repo and the initrd just contains drivers to access the root partition - usually nothing sensitive here - but if not secured they could be replaced by an attacker to install rootkits
Offline
#3 2026-05-15 07:54:05
- seth
- Member
- From: Won't reply 2 private help req
- Registered: 2012-09-03
- Posts: 75,498
Re: Encrypting installation?
to me encrypting a system only makes sense if everything is locked down, even the bios - so you need a password to even POST and boot
Depends on the threat vector - do you want to protect the system from manipulation or just immediate data exposure.
In the latter case encrypting your $HOME or even just a vault for the sensitive data is sufficient.
@niko787, there's no correct™ answer as to whether you need to encrypt the boot partition, start at https://wiki.archlinux.org/title/Dm-crypt - it goes through the process and also some example scenarios.
An alternative to an encrypted boot partition is an external boot device (ie. you boot the system from or keep the keys on a usb key or so, while the installation itself is an encrypted partition on your SSD)
The purpose of encryption is denying HW access, if you can deny access to the HW differently (Moat, Dogs, Crocodiles, Spacelasers…) you don't need to encrypt anything.
Online
#4 2026-05-15 08:27:33
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 2,135
Re: Encrypting installation?
deny access to the HW differently (Moat, Dogs, Crocodiles, Spacelasers…).
you missed cats/kittens 
Offline
Pages: 1