3

I have managed to get FDE (Full disk Encryption) working quite happily on an MBR/BIOS system using a DOS partition table, I only have /dev/sda1 and /dev/sda2 for the swap and root LUKS containers respectively. This works because as of early 2014, grub2 supports encrypted /boot partitions by natively supporting dm-crypt in the part of the boot loader that gets written into the MBR. All's good.

However with UEFI is the grubx64.efi binary capable of handling dm-crypt/luks containers? I've had no joy in getting this to work. All examples I have seen have either been with /boot encrypted but using MBR/BIOS or /boot unencrypted with UEFI.

I know it's less of an issue with signed kernels and UEFI secure boot, but it still leaves the possibility open for some form of tampering (changing initramfs - or is that signed?, replacing a grub module? etc).

Please note any answers have to apply to 14.04 LTS and not 16.04 etc. If grubx64.efi missed the dm-crypt party for 14.04 then that's fine I can use MBR/BIOS. I'm just trying to find out whether this is actually possible.

Many thanks in advance,

John.

Elder Geek
  • 36,023
  • 25
  • 98
  • 183
John Hobbins
  • 43

2 Answers2

1

I was wondering if there is any update about the possibility to encrypt boot next to root, using EFI + Secure boot.

I found https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29

But I couldn't adapt the example to fedora 28 (didn't try ubuntu 18.04 so far).

Tim Banchi
  • 351
  • 1
  • 4
  • 8
-1

As far as I can tell, the UEFI boot loader is not capable of using an encrypted boot area where the MBR variant is. Obviously there is less concern with UEFI as one can use secure boot and signed kernel images (more rigorously enforced in 16.04). With MBR everything can be encrypted apart from the first stage MBR based grub boot loader (something needs to decrypt root!). This could be compromised but would be much harder to do than say replacing a kernel on an unsecured UEFI system. Also remember to leave 2048 sectors at the start of an MBR disk (like the newer fdisk does) for extra room for the decrypting first stage boot loader. If you can't do this then you'll have to go for a separate unencrypted boot partition.

Hope this helps others.

John Hobbins
  • 43