RE: install /boot with encrypted partition

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

It is supposed to be working... (see below)

-----Original Message-----
From: users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Roberto Ragusa
Sent: Monday, July 15, 2013 7:15 PM
To: Community support for Fedora users
Subject: Re: install /boot with encrypted partition

On 07/15/2013 01:13 PM, J.Witvliet@xxxxxxxxx wrote:

> Are you sure about that?
> Afaicr grub2 was supposed to be able to have /boot inside the encrypted area.
> (there still remains some unencrypted disk-blocks though)

This is the first time I hear that, and I wonder what kind of messy hack
that would have to be.

A separate /boot with kernels, initramfs, memtest86+, looks like a
saner approach.
The encrypted part will happily contain everything else (the system, your data,
the swap, including the hibernation data).

-----Original Message-----

The solution with separate /boot, and everything else in an LUKS encrypted LVM, works long time, even with grub-legacy.

The biggest problem is for (automated) installers. Just like the trick with putting /boot in a logical volume.
Afaicr, that is a trick you also have to do manually.

The msg triggered me in googling about the subject, and on my archive on grub2.
Even though Google turned up some results, the referring links were dead :-(

So I asked the grub2 developpers, they said:
"You need core.img that contains crypto modules (and of course mounts encrypted partition as prefix). If you are using grub-install, set GRUB_CRYPTODISK_ENABLE=y and it should just work. core.img itself cannot be encrypted for obvious reasons and should be embedded in post-MBR gap outside of encrypted partition on BIOS platform. On EFI it is in ESP anyway."

And they seem quite confident that it works:
"This really belongs to grub-help unless you have evidence that it does not work."


______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux