That way other partitions, including the one holding the root file system, can remain in LUKS2 format and benefit from the stronger security guaranties and convenience features of the newer version: more secure (memory-hard) Key Derivation Function, backup header, ability to offload the volume key to the kernel keyring (thus preventing access from userspace), custom sector size, persistent flags, unattended unlocking via kernel keyring tokens, etc.įurthermore every command in this sub-section can be run from the main system: no need to reboot into a live CD or an initramfs shell.īefore copying content of the /boot directory, remount it read-only to make sure data is not modified while it’s being copied. Since the installer creates a separate (plaintext) /boot partition by default in its “encrypted LVM” partitioning method, the simplest solution is arguably to re-format it as LUKS1, especially if the root device is in LUKS2 format. 2.1 Formatting the existing /boot partition to LUKS1 Note: The partition layout of your system may differ. We assume the system resides on a single drive /dev/sda, partitioned with d-i’s “encrypted LVM” scheme: lsblk -o NAME,FSTYPE,MOUNTPOINT /dev/sda These two alternatives are described in the two following sub-sections. The root device(s) needs to use LUKS version 1, but existing LUKS2 devices can be converted (in-place) to LUKS1. ![]() Either format an existing /boot partition to LUKS1 or.This document describes a generic way to unlock LUKS devices from GRUB for Debian Buster. Until LUKS version 2 support is added to GRUB2, the device(s) holding /boot needs to be in LUKS format version 1 to be unlocked from the boot loader. Hence the pre-Buster workarounds won’t work anymore. ![]() But as of Buster cryptsetup(8) defaults to a new LUKS header format version, which isn’t supported by GRUB as of 2.04. Since enabling unlocking LUKS devices from GRUB isn’t exposed to the d-i interface (as of Buster), people have come up with various custom workarounds. On the other hand, it is incompatible with some other features that only enabled later at initramfs stage, such as splash screens or remote unlocking. It is especially interesting when GRUB is installed to a read-only media, for instance as coreboot payload flashed to a write-protected chip. However, GRUB2 is (since Jessie) able to unlock LUKS devices with its cryptomount command, which therefore enables encryption of the /boot partition as well: using that feature reduces the amount of plaintext data written to disk. Since not all bootloaders are able to unlock LUKS devices, a plaintext /boot is the only solution that works for all of them. ![]() For instance the Debian Installer does this in its “encrypted LVM” partitioning method. So called “full disk encryption” is often a misnomer, because there is typically a separate plaintext partition holding /boot. Full disk encryption, including /boot: Unlocking LUKS devices from GRUB Full disk encryption, including /boot: Unlocking LUKS devices from GRUB 1 Introduction
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |