Announcement

Collapse
No announcement yet.

GRUB Boot Loader Adds Support For LUKS2 Encrypted Disks

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GRUB Boot Loader Adds Support For LUKS2 Encrypted Disks

    Phoronix: GRUB Boot Loader Adds Support For LUKS2 Encrypted Disks

    The GRUB boot-loader has finally merged support for dealing with LUKS2 encrypted disks...

    http://www.phoronix.com/scan.php?pag...2-Disk-Encrypt

  • restinbeach
    replied
    well, as for Void Linux, how do I make sure it now installs with grub and luks2 when using chroot? I used to have "--type luks1" in my cryptsetup command. Can I find out other than trial & error?

    Leave a comment:


  • shmerl
    replied
    Originally posted by itoffshore View Post

    This sort of setup is a lot simpler to do in Manjaro's Architect ISO - just mount your custom system under /mnt & run "setup". After running through the sequence of steps in the installer select the "chroot into installation" option to setup /etc/crypttab & /etc/default/grub.

    If you run your root filesystem on BTRFS you also do not need a boot partition.

    If your system is UEFI you can also just mount the ESP at /efi

    Your system will start to boot in the ITER time + 4-5 seconds for grub to unlock your encrypted root.
    Well, Debian should support it too.

    Leave a comment:


  • sandy8925
    replied
    Originally posted by [email protected] View Post
    Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.

    I use refind more nowadays, though.



    How does the partitionless boot work? You're assuming EFI, right? You still need a FAT-formatted partition to contain the boot executables, AFAIK?
    You can store the initramfs under /boot in a separate partition, and encrypt that, but your bootloader must then be able to decrypt that partition (GRUB can for example).

    Or you could use EFISTUB and just have EFI boot the kernel directly.

    Leave a comment:


  • Hans Bull
    replied
    About time.

    Leave a comment:


  • itoffshore
    replied
    Originally posted by [email protected] View Post
    Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.

    I use refind more nowadays, though.

    How does the partitionless boot work? You're assuming EFI, right? You still need a FAT-formatted partition to contain the boot executables, AFAIK?
    My initramfs & boot images are stored under the encrypted root in /boot with strong permissions

    The unencrypted FAT32 ESP only contains the EFI loaders for GRUB & Refind.

    The Arch Wiki has some notes for secure boot with refind

    Leave a comment:


  • GI_Jack
    replied
    Originally posted by [email protected] View Post
    Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.

    I use refind more nowadays, though.

    How does the partitionless boot work? You're assuming EFI, right? You still need a FAT-formatted partition to contain the boot executables, AFAIK?
    It works as you have an unencrypted EFI partition, and that is configured to unlocked a luks partition, and then load. Previous limitation was luks1. Luks2 adds all kinds of new hardening.

    Still not supported using anything but a password as a key, it would be nice to use a key file on a USB stick, or even a yubikey

    Originally posted by [email protected] View Post
    Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.
    Then load your own CA into the bios. That is my next project. TPMs are cheap, I got one first party from my motherboard manufacturer for about $30 new.

    Leave a comment:


  • M@yeulC
    replied
    Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.

    I use refind more nowadays, though.

    Originally posted by itoffshore View Post

    This sort of setup is a lot simpler to do in Manjaro's Architect ISO - just mount your custom system under /mnt & run "setup". After running through the sequence of steps in the installer select the "chroot into installation" option to setup /etc/crypttab & /etc/default/grub.

    If you run your root filesystem on BTRFS you also do not need a boot partition.

    If your system is UEFI you can also just mount the ESP at /efi

    Your system will start to boot in the ITER time + 4-5 seconds for grub to unlock your encrypted root.
    How does the partitionless boot work? You're assuming EFI, right? You still need a FAT-formatted partition to contain the boot executables, AFAIK?

    Leave a comment:


  • itoffshore
    replied
    Originally posted by shmerl View Post
    So can Debian provide a proper LUKS usage in the installer, so it could create lvm setup without the need for un-encrypted boot partition? Right now there is no way to do it in the installer, and doing it manually first and then making install eat that prepared setup is very messy.
    This sort of setup is a lot simpler to do in Manjaro's Architect ISO - just mount your custom system under /mnt & run "setup". After running through the sequence of steps in the installer select the "chroot into installation" option to setup /etc/crypttab & /etc/default/grub.

    If you run your root filesystem on BTRFS you also do not need a boot partition.

    If your system is UEFI you can also just mount the ESP at /efi

    Your system will start to boot in the ITER time + 4-5 seconds for grub to unlock your encrypted root.

    Leave a comment:


  • shmerl
    replied
    So can Debian provide a proper LUKS usage in the installer, so it could create lvm setup without the need for un-encrypted boot partition? Right now there is no way to do it in the installer, and doing it manually first and then making install eat that prepared setup is very messy.

    Leave a comment:

Working...
X