help-grub
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GRUB & crypto? (& generally, more info on undocumented modules?)

From: John Lane
Subject: Re: GRUB & crypto? (& generally, more info on undocumented modules?)
Date: Fri, 19 Dec 2014 09:37:12 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 
On 19/12/14 08:04, Andrei Borzenkov wrote:
> В Thu, 18 Dec 2014 23:28:08 -0800
> Diagon <address@hidden> пишет:
>
>> ---- On Thu, 18 Dec 2014 22:15:32 -0800 Andrei Borzenkov<address@hidden> 
>> wrote ---- 
>>  > В Thu, 18 Dec 2014 16:52:46 -0800 
>>  > Jordan Uggla <address@hidden> пишет: 
>>   
>>  > > Grub can read files from LUKS and GELI volumes, but only FreeBSD's 
>>  > > kernel currently has a protocol for passing credentials from grub to 
>>  > > the kernel, so if you're using GNU/Linux and you use grub's LUKS 
>>  > > support to read your kernel from your LUKS encrypted root, you will 
>>  > > need to enter your password twice at boot: Once for grub, and again 
>>  > > for linux. 
>>  
>>  > There are patches to support use of keyfile; this could improve 
>>  > situation for by allowing shared keyfile between GRUB and Linux and 
>>  > unattended decryption.
>>
>> That's interesting.  Could you point me to the patches?
>>
> http://grub.johnlane.ie/
>
>> Andrei - Jordan doesn't see a use case for this, though in my point of view 
>> I just want to get as much into my encrypted disk as possible, leaving as 
>> little visible as I can.  Do you have a view on this?
> I would not do it myself, but I see it as valid use case.
>
> _______________________________________________
> Help-grub mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/help-grub
I thought I'd mention my specific use-case for using crypto routines in
Grub.

I have some devices that are configured to boot from a USB drive that I
keep attached to my keys and, usually, in my pocket :)

These devices contain encrypted disks that have no boot sectors and
cannot boot themselves. The unlocked disks are LVM and contain a root
logical volume. This has a "/boot" directory containing the kernel and
initramfs images.

Booting Grub from the USB uses "cryptomount" to unlock the encrypted
disk and this allows Grub's LVM to activate the root volume. Grub then
uses the images in "/boot" on that volume to boot the system. There is
no need to maintain copies of the boot images on the USB drive.

I use a keyfile to avoid the duplicate passphrase entry issue. The
keyfile is on the USB stick. It's also inside the initramfs so that the
booting kernel can also unlock the disk. It's safe because the initramfs
is on an encrypted volume.

By having "/boot" on the root volume, it's easy to perform system
updates in-situ without having to worry about copying images onto the
USB stick (which may not be phyisically present when such an update is
performed).

I also use detached LUKS headers and keep them separately too.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]