How to Encrypt /boot

[dogaman]

I work in safe surroundings with a group of windows lovers. For the long-ago lot of years I have classically all the time encrypted my /home partition utilizing dm_crypt and experienced that was well sufficient. At this point they utilize test Point FDE that is windows based, to encrypt their disks. In short, FDE boots from the MBR masses itself in a PBR and quacks for password. According to their certification, each partition is encrypted. I have checked the machines and all of that seems basically accurate. I am getting punished by guys nearby because the /boot partition has to be encrypted. I possibly strained to not be able to utilize Linux as my primary Operating system. Is there a method to copy what FDE performs? I am thoughts if grub could be locked where it asks for a password that is utilizing to decrypt the /boot divider I would be blond. One more thought is a bit made in the initrd, mostly where you are prompted for a password earlier than any panel is in fact accessed, and the password is utilized to decrypt those passwords. I believe the initrd is in the boot panel, so I don't believe that one is an alternative, only an idea I am discharge for thought. I have seemed at grub2, but did not observe anything there jumping up and down as a way out. Any ideas?

[Zhankana_n]

The TSA Responder in me, be reminiscent me of the wickedness Maid assault, that could overcome their complete Disk Encryption, if they have not locked out additional Boot techniques. But, if your BIOS lock out swap boot method, obviously setting a BIOS password and put grub to boot from HDD only, with a Password, It is alike to the PBA of products like secure Guard simple. You could shift /boot to a USB drive, motionlessly booting from the hard drive, Grub would be on the hard drive, and seem to the USB for kernel, and initrd. Format a panel on the USB w/ ext2 or ext3. One more alternative for Dual Factor verification is PAM_USB, or Pam_Bluetooth.

[laplapye]

I have not attempted this, as I don't utilize complete disk encryption, in its place I utilize eCrypts. Unluckily, wiki, and source code emerge down currently. But I perceive some problems:

1. Misplace the USB Key- You are secured.
2. Somebody could duplicate the USB key, and obtain the arbitrary undo passphrase.

Once more, if your boss is unlocking to reason, keep in mind this tech information

• The Encrypted panes MBR and first Program Loader is not encrypted, nor can it be.
• The /boot panel on Linux does not grasp any information, serious apps, cookies, browser history and so on.
• /boot can be least in size, well below today's flash drive ability.

[Ekpah]

I not at all was keyed up concerning requiring an USB to boot because it is the just duplicate of your safety key. Leave that at house, and although you left your machine up every night, single power outage and you are in for an annoyance. And after that there is all the time the defeat or injure of that key. I am estimating what they indicate is if any hacker required to, he could only de-asm and discover the decryption custom and simply adjust the loader to seem usual but have a keylogger. I concur with your appraisal; the trouble is somebody falling in a kernel with a keylogger. I still observe that similar threats with the Check Point, but as a minimum on their side they can say every partition is encrypted.

[windows_user]

Provide /boot and directories like /boot/grub 0600 permissions, and its files 0500 permissions. After that you would require to be root previously to make any alters to the kernel. If the in general system is that unconfident, what makes someone think they could not end run encryption of the boot panel if they previously have root? You won't be able to improve kernels devoid of primary altering the permissions, so automatic updates are out. While a novel kernel is released, you will require rearranging /boot to read/write, sprint the update, after that switch the permissions back.