Announcement

Collapse
No announcement yet.

Setting Up An Encrypted /boot Partition With Fedora & GRUB2

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Setting Up An Encrypted /boot Partition With Fedora & GRUB2

    Phoronix: Setting Up An Encrypted /boot Partition With Fedora & GRUB2

    While more and more Linux distributions are making it easy from their installers to setup an encrypted root file-system, there's very few that go to the lengths of allowing an easy setup of an encrypted /boot partition...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Impressive, i worte examples for MBR grub nearly 2 years ago. You need to adjust that for UEFI, because there it would be even simpler as /boot/efi is not encrypted.

    Comment


    • #3
      There are also self encrypting SSDs compatible with the OPAL 2.0 standard. That blocks the SSD including MBR and the bootloader. On Linux "msed" can be used to handle and configure such drives.

      Comment


      • #4
        this blog post has nothing fedora specific in it (y)

        Comment


        • #5
          Here's a thought; if /boot is kept on a separate partition and that is separately encrypted with a different passphrase, anyone deploying an "evil mail" will likely mistake the /boot key for the real thing and bail with your hard drive, finding later that they can only read /boot. It would take a minimum of three visits to defeat this with software only, two to use a hardware keylogger physically installed. On the other hand, letting the bootloader handle the main passphrase would mean transferring trust from the initramfs and kernel to the BIOS/UEFI code. Three letter agencies have not been reported in any country to be relying on software keyloggers at boot time, probably because they require knowing what OS and encryption scheme you will be attacking in advance. The "evil maid" is what your hacker roommate will use to browse your porn collection. If the morality police in Daesh-land want access to that same porn, they will use a hardware keylogger like the Chinese MSS and the NSA are known to favor. If the Chinese Embassy is dumb enough to order computers for delivery, the NSA has advance access during shipment but not persistant access. so they will replace the BIOS/UEFI rather than install a hardware keylogger vulnerable to visual inspection.

          Comment


          • #6
            Basically evil made attacks are always possible. Modified keyboards, wireless keyboards without encryption, modified bootloaders (in case of missing HD password) are always possible. Also in case of a laptop you should never use suspend because of cold boot attacks. UEFI rootkits are possible as well and very hard to detect. It is just a question how much effort somebody wants to invest. Any kind of encryption should be enough to secure data in case of theft, but don't think you are save for other attacks.

            Comment


            • #7
              wish gummiboot could do this too

              Comment


              • #8
                I feel like I'm missing something obvious here, but why would I want to encrypt the boot partition? There's nothing sensitive there.

                Comment


                • #9
                  The reason to encrypt /boot would be to WRITE protect your initramfs and kernel, but GRUB and the BIOS remain targets. Someone mentioned wireless keyboards. I consider these incompatable with any form of encryption as they are too easily intercepted. If encrypted they should be considered untrusted commercial encryption products presumed to contain backdoors accessable to every cop. Open source encryption works, I had an encrypted hard drive defeat police forensics after a raid back in 2008. Remember what Snowden says, encryption works...

                  Comment

                  Working...
                  X