4

I have Windows 8.1 already in UEFI mode. I was installing Ubuntu 15.10 from within Live install. Installation was successful when I kept /boot unencrypted. Here is the scheme:

sda1 400MB Reserved
sda2 100MB EFI
sda3 ~100MB Microsoft Reserved
sda4 120GB Windows OS
sda5 50GB LVM with luks

(tried with no seperate /boot, i.e. it being in /)

  bootvol 512MB
  rootvol 15GB
  swapvol 4GB
  homevol rest of it

Problem comes when installer tries to install grub. When I set up bootloader installation to default /dev/dm-0, it says "failure to install grub".

When I install it to EFI partition, it says Grub won't be able to boot bla bla and exits midway of installation. When I do it to /dev/sda, it says same like that of EFI.

Ayan
  • 2,951
  • 3
  • 19
  • 22
hoveringfalcon
  • 41
  • 1
  • 3

1 Answers1

2

Why would you want to encrypt /boot?

Just keep it unencrypted. There is nothing in this directory (partition) that you'd need to keep private in any scenario.

It's standard practice for full-disk encryption on Linux to have a fully encrypted LVM plus an unencrypted boot partition. If an attacker is in a position to tamper with the contents of /boot, they already have direct access to your computer. Meaning that you can pretty much consider the device compromised anyway (if that's your paranoia mode). There's nothing an OS can do to help in this scenario. If that's your threat profile, you'll have to take additional (physical) steps to secure your data. If not, then just keep /boot as it is.

user534159
  • 362
  • 2
  • 7
  • 3
    attacker can grab hold of the drive and modify the kernel and other files, those files reside in /boot....which can contain keylogger, etc.....people have done this and posted the method online – hoveringfalcon Dec 16 '15 at 03:40
  • 1
    Exaclty. As soon as an attacker has your device, it's compromised (as good as). You will never enter a password on it again. – user534159 Dec 16 '15 at 03:43
  • BTW, there is no difference between Linux's unecrypted /boot and encryption methods used on other OSes. Attacker has your device - they can trivially replace a bootloader like TrueCrypt etc. ([reference](https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-PAPER.pdf)) – user534159 Dec 16 '15 at 03:45
  • But bootloader of Truecrypt and BitLocker doesn't have Kernels and other keys files there to keylog something....right? – hoveringfalcon Dec 16 '15 at 04:04
  • http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ – hoveringfalcon Dec 16 '15 at 04:07
  • Evil maid attackers will have it easy if your /boot is unencrpted. Now honestly there are other attack vectors, but that is probably the easiest once to replace the kernel with a keylogger that send your key somewhere. – redanimalwar Jul 06 '21 at 12:43
  • Also that "Standard practice" as you call it is just utterly stupid and outdated. Grub is able to unlock an encrypted LUKS1 disk for years now. And rencently now even LUKS2 disks. Open SUSE is NOT doing it this way. You make an encrypted install, it does NOT install a stupid unencrypted /boot, it does NOT create a utterly retarded LVM setup that nobody on with a Laptop or Desktop needs. It's good for servers, maybe. It does NOT create a stupid swap partition that is also incredibly outdated. And also nobody with a decent PC and 16 or 32 gig or ram needs. – redanimalwar Jul 06 '21 at 12:48
  • I like Ubuntu but the atrocious installer and outdated installation structure are so annoying. A new installer is on the way and I have seen some hits about custom installation and free disk space ... that seem to make things easier. My current attepts with the Kubuntu 21.10 installer totally FAIL. I had issues in the past with LUKS but this time it won't even work at all with manually selecting "disk for encryption". Nothing happens and going back give an error. So it got even worse. And it requires an unencryted /boot for no reason. – redanimalwar Jul 06 '21 at 12:51
  • Biting my teeth out with a guide that runs the installer with `--no-bootloader` and installs it later, but I end up with an empty grub screen ... seriously annoying how a leading distro does not even have a proper installer. The only thing that works is the stupid default setup where it captures your entire disk and gives you no options at all. – redanimalwar Jul 06 '21 at 12:53
  • This was 5 years ago and NOTHING has changed. It's still a disaster. – redanimalwar Jul 06 '21 at 12:54