Full disk encryption on GPT on BIOS problems

Question

How to encrypt all data on hard drive (including /boot and 1MB BIOS boot partition)? How to create GRUB bootable BIOS partition with encryption? My HDD is empty now. I cannot use this laptop now.

Answer 1

You cannot encrypt the BIOS Boot Partition; the boot process on a BIOS-based computer that uses GRUB to boot Ubuntu (or any other Linux) goes something like this:

1. CPU powers on and executes BIOS code, which does not understand encryption.
2. BIOS reads the first sector (MBR) of the hard disk, which is necesarily unencrypted.
3. The MBR code, which is tiny, reads more extensive boot loader code stored elsewhere -- normally in the BIOS Boot Partition in the case of GRUB on a GPT disk.
4. GRUB reads its configuration file, normally from /boot/grub/grub.cfg. It may also load additional code from modules stored in /boot/grub.
5. GRUB reads the kernel and initial RAM disk (initrd) file, then executes the kernel.
6. The kernel runs startup scripts in the initrd.
7. The main filesystem is mounted and further startup processes are controlled from there.

Because the BIOS doesn't support encryption, the MBR cannot be encrypted. In theory, the MBR could include encryption code, and so the BIOS Boot Partition could be encrypted; however, in practice this is impractical, perhaps in the extreme, because the MBR boot code is a total of 440 bytes in size (446 bytes if you stretch the definitions a bit). Note that's bytes, not KiB, MiB, or some other value. GRUB uses the BIOS Boot Partition because 440 bytes is inadequate to do anything more than direct the boot process on to this bigger location; cramming encryption software into that space is a hurdle that's beyond the realm of the practical (and maybe totally impossible).

Thus, the earliest point at which encryption is a practical possibility is after the BIOS Boot Partition is read, and in fact, GRUB does support reading encrypted filesystems, so your Linux kernel can be stored on an encrypted filesystem. (At least, that's what I hear; I've never tried it myself.)

Note also that encrypting the BIOS Boot Partition will give you limited or no additional privacy protections. The bulk of what goes there is open source software. It may be tweaked and customized for your particular system, but that's mainly just to identify the partition that holds the Linux root (/) or /boot filesystem, and perhaps to include drivers needed on your particular computer. AFAIK, there are no passwords, usernames, or other sensitive data in the BIOS Boot Partition. If it were possible, encrypting the BIOS Boot Partition might make it harder for malware to take it over -- but in this scenario, the malware would merely need to adjust the MBR to redirect the boot process to its own code, or to completely re-write the BIOS Boot Partition using its own encryption keys.

That said, in theory a whole disk could be encrypted if the disk itself, or the controller to which it's attached, supported this feature. This would require the disk or controller to do the encryption and decryption, "beneath" the level of the BIOS. I'm not sure offhand how a password could be delivered to a disk connected to a standard controller, but if you had a plug-in card with an encrypted disk controller, it would necessarily interface with the regular BIOS, and could therefore prompt for a password at boot time. To the OS, the disk would look like a normal unencrypted disk. I vaguely recall hearing about such solutions, but I've never looked into them, and I don't know if such hardware is readily available today. (I might be remembering claims for vaporware.)

Note also that an EFI/UEFI works very differently from a BIOS; but AFAIK, EFI/UEFI also does not support encrypting 100% of a disk -- the boot loader must still reside on an unencrypted EFI System Partition (ESP). EFI is a lot bigger and more complex than BIOS, though, so I may be unaware of an obscure feature, and it may be easier to add such support to the EFI specification in the future. If you're interested in encrypting the BIOS Boot Partition as a way to prevent tampering from malware, though, the Secure Boot feature of most modern UEFIs is intended to tackle this problem. By signing the first boot code read from the disk and providing a chain of signing through to the OS, Secure Boot (theoretically) prevents tampering.