1

I have UEFI enabled in my BIOS and a Ubuntu installed in the single hard disk available in the machine. There are two Linux partitions in this hard disk: /boot/efi and /. I have recently booted via UEFI in a live USB with the same version of Ubuntu and encrypted the / partition using luksipc, a tool which converts an unencrypted partition to a encrypted partition. I can successfully access the encrypted partition using cryptsetup luksOpen, so that process went fine.

My problem is in the boot. I have altered crypttab and fstab and regenerated initram (update-initramfs) and grub conf files (update-grub) and binary (grub-install). Finally, I have rebooted, but the boot gets stuck at the GRUB command line.

What am I doing wrong? Do I need to have /boot in an additional unencrypted partition so that GRUB can find its files in /boot (which is currently in the encrypted partition /) ?

Alan Evangelista
  • 111

1 Answers1

3

Yes, the boot partition remain unencrypted. In practice looking at my disk you have three partitions:

  • sda1 (/boot/efi, obviously the GPT boot partition)
  • sda2 (/boot, the linux kernel)
  • sda3 (holds the encrypted volume)

The whole thing remains safe, because UEFI by design checks that the contents of /boot/efi are unaltered, and these can check the contents of sda2 before booting on them.

xenoid
  • 8,888
  • Thanks for the answer! It seems that GRUB is also able to access an encrypted partition, so I suppose that my setup could work if I set GRUB_ENABLE_CRYPTODISK=y and add a cryptdevice param to GRUB_CMDLINE_LINUX option in /etc/default/grub ? – Alan Evangelista Feb 05 '20 at 22:09
  • 1
    Some hints: https://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ – xenoid Feb 05 '20 at 22:16