Christoph Anton Mitterer wrote: > On Tue, 2013-11-19 at 09:20 +0700, Trinh Van Thanh wrote: >> Unencrypted boot partition is not safe for some special requirements. >> So I want to increase the secure level for full disk encryption using >> dm-crypt. Can I integrate cryptsetup in bootloader (example GRUB2) or >> is there any other solutions? > > Integrating it in the bootloader doesn't really help you since then the > bootloader is the weak point. > > In the end you'll always need an unencrypted kernel/initrd/bootloader... > so what one can do is booting from a USB stick,.. which you have always > with you... and then have a fully encrypted root-fs. Integrating with the bootloader isn't a _solution_, but it is a _mitigation_. If you're using GRUB2 in a traditional (non-EFI) boot configuration, you can get away with leaving VERY little space for an attacker to work in. In particular, the space before the protective MBR (which is filled by grub's core, and not especially useful to tamper with) and the BIOS Boot Partition it uses to store the more full image (EF02 in gdisk). By creating a truly minimal grub image (cryptdisk, your boot filesystem driver, the linux loader, maybe a couple other things) in which every part is necessary to the boot process, and placing the BBP at the end of the disk, you can force the partition to be the exact minimal size that will hold that data by resizing the LUKS partition. That way, tampering in a manner that WON'T cause the boot process to fail entirely becomes exceedingly difficult, and something with sufficient complexity to patch the kernel becomes prohibitive. I used to use GRUB2's cryptdisk support for a while, and while it was tetchy to work with it does function - if one is familiar with GRUB2's scripting syntax, coreboot's (very) brief overview is sufficient: http://www.coreboot.org/GRUB2#LUKS_disks_openning _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
