Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
root disk encryption using grub2 not initrd
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 213

PostPosted: Fri Apr 17, 2015 7:16 am    Post subject: root disk encryption using grub2 not initrd Reply with quote

Hi folks,

so far I have a small server with normal dm-crypt/luks for the root partition and am booting it via an initramfs from a boot partition.

However I see that grub2 actually should support booting directly from dm-crypt/luks, seeing that it has a luks module and diverse other crypto stuff. What I cannot find so far is any decent howto or documentation giving the details how to set this up. Weird actually, as an initramfs (which is also how most distributions seem to do it) adds an extra layer of complexity.

Does anyone know how to set this up? And how does one integrate this into grub2-mkconfig scripts?

I really think this should be the way to go. The less one needs to put into the unencrypted boot partition, the safer the whole thing gets also. If it can be made reasonably easy all the better. But so far this route seems to be neglected by far. Are there disadvantages that I fail to see?
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2968
Location: Germany

PostPosted: Fri Apr 17, 2015 12:17 pm    Post subject: Reply with quote

There seems to be some kind of misunderstanding.

Sure, GRUB might support encryption, as in it might be able to read the encrypted kernel and initrd files and boot them.

But once the kernel is loaded, GRUB is gone. And whatever knowledge it had about encryption is also gone. And whatever filesystem GRUB loaded the kernel from is not mounted.

So, even if your GRUB supports encryption, the kernel itself still has to support it too, and for that you need an initramfs to set things up for you. At best, GRUB might pass the encryption key on to the kernel somehow (or you might have baked it into your encrypted initramfs) so you won't have to enter your passphrase twice when booting.

Personally I do not use encryption at the GRUB stage.
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 213

PostPosted: Fri Apr 17, 2015 5:20 pm    Post subject: Reply with quote

Thanks for that clarification, I was indeed not aware of this. 8-;

So basically the only advantage of using grub for this would be to store the initrd and linux kernel within the encryption disk. Hmm.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum