Announcement

Collapse
No announcement yet.

GRUB Boot Loader Adds Support For LUKS2 Encrypted Disks

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • GRUB Boot Loader Adds Support For LUKS2 Encrypted Disks

    Phoronix: GRUB Boot Loader Adds Support For LUKS2 Encrypted Disks

    The GRUB boot-loader has finally merged support for dealing with LUKS2 encrypted disks...

    http://www.phoronix.com/scan.php?pag...2-Disk-Encrypt

  • #2
    So can Debian provide a proper LUKS usage in the installer, so it could create lvm setup without the need for un-encrypted boot partition? Right now there is no way to do it in the installer, and doing it manually first and then making install eat that prepared setup is very messy.

    Comment


    • #3
      Originally posted by shmerl View Post
      So can Debian provide a proper LUKS usage in the installer, so it could create lvm setup without the need for un-encrypted boot partition? Right now there is no way to do it in the installer, and doing it manually first and then making install eat that prepared setup is very messy.
      This sort of setup is a lot simpler to do in Manjaro's Architect ISO - just mount your custom system under /mnt & run "setup". After running through the sequence of steps in the installer select the "chroot into installation" option to setup /etc/crypttab & /etc/default/grub.

      If you run your root filesystem on BTRFS you also do not need a boot partition.

      If your system is UEFI you can also just mount the ESP at /efi

      Your system will start to boot in the ITER time + 4-5 seconds for grub to unlock your encrypted root.

      Comment


      • #4
        Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.

        I use refind more nowadays, though.

        Originally posted by itoffshore View Post

        This sort of setup is a lot simpler to do in Manjaro's Architect ISO - just mount your custom system under /mnt & run "setup". After running through the sequence of steps in the installer select the "chroot into installation" option to setup /etc/crypttab & /etc/default/grub.

        If you run your root filesystem on BTRFS you also do not need a boot partition.

        If your system is UEFI you can also just mount the ESP at /efi

        Your system will start to boot in the ITER time + 4-5 seconds for grub to unlock your encrypted root.
        How does the partitionless boot work? You're assuming EFI, right? You still need a FAT-formatted partition to contain the boot executables, AFAIK?

        Comment


        • #5
          Originally posted by [email protected] View Post
          Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.

          I use refind more nowadays, though.

          How does the partitionless boot work? You're assuming EFI, right? You still need a FAT-formatted partition to contain the boot executables, AFAIK?
          It works as you have an unencrypted EFI partition, and that is configured to unlocked a luks partition, and then load. Previous limitation was luks1. Luks2 adds all kinds of new hardening.

          Still not supported using anything but a password as a key, it would be nice to use a key file on a USB stick, or even a yubikey

          Originally posted by [email protected] View Post
          Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.
          Then load your own CA into the bios. That is my next project. TPMs are cheap, I got one first party from my motherboard manufacturer for about $30 new.

          Comment


          • #6
            Originally posted by [email protected] View Post
            Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.

            I use refind more nowadays, though.

            How does the partitionless boot work? You're assuming EFI, right? You still need a FAT-formatted partition to contain the boot executables, AFAIK?
            My initramfs & boot images are stored under the encrypted root in /boot with strong permissions

            The unencrypted FAT32 ESP only contains the EFI loaders for GRUB & Refind.

            The Arch Wiki has some notes for secure boot with refind

            Comment


            • #7
              About time.

              Comment


              • #8
                Originally posted by [email protected] View Post
                Nice, as right now there is still a hole in my boot chain: the initramfs isn't signed with secureboot, and isn't on an encrypted partition.

                I use refind more nowadays, though.



                How does the partitionless boot work? You're assuming EFI, right? You still need a FAT-formatted partition to contain the boot executables, AFAIK?
                You can store the initramfs under /boot in a separate partition, and encrypt that, but your bootloader must then be able to decrypt that partition (GRUB can for example).

                Or you could use EFISTUB and just have EFI boot the kernel directly.

                Comment


                • #9
                  Originally posted by itoffshore View Post

                  This sort of setup is a lot simpler to do in Manjaro's Architect ISO - just mount your custom system under /mnt & run "setup". After running through the sequence of steps in the installer select the "chroot into installation" option to setup /etc/crypttab & /etc/default/grub.

                  If you run your root filesystem on BTRFS you also do not need a boot partition.

                  If your system is UEFI you can also just mount the ESP at /efi

                  Your system will start to boot in the ITER time + 4-5 seconds for grub to unlock your encrypted root.
                  Well, Debian should support it too.

                  Comment


                  • #10
                    well, as for Void Linux, how do I make sure it now installs with grub and luks2 when using chroot? I used to have "--type luks1" in my cryptsetup command. Can I find out other than trial & error?

                    Comment

                    Working...
                    X