[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Encrypted boot partition
|
From: |
James Courtier-Dutton |
|
Subject: |
Encrypted boot partition |
|
Date: |
Sun, 18 Jul 2010 09:45:24 +0100 |
Hi,
Is there any encryption support in grub?
I would like to encrypt the boot partition, and let someone type the
password into the grub boot screens.
So, one would then get:
1) Switch PC on.
2) Type in password
3) Grub Boot menu.
The reason to encrypt the boot partition is to make tampering more difficult.
One then only has to do integrity assurance on the small grub loader
up until the grub boot menu.
I know that one method to reach this integrity is to use a read-only
USB boot memory stick that contains grub and the Linux kernel images,
then only needing the "root" partition to be encrypted.
Boot times are quicker if it can read the kernel/initrd images from
the HD instead of the USB memory stick.
This would also have the advantage that a single usb boot memory stick
could then be able to boot different machines, that might have
different kernels, using the same usb stick.
The usb stick is used to provide the integrity assurance on the small
grub loader in the following scenario.
1) User keeps USB stick at all times. The USB stick is set to read
only, so cannot be tampered with easily.
2) Laptop may be left un-attended when powered off.
3) User returns to laptop, and uses USB stick to boot it.
Summary:
Permit grub boot menu to be in LUKS encrypted partition.
Kind Regards
James
- Encrypted boot partition,
James Courtier-Dutton <=