I have an ASUS machine on which I can choose between the old BIOS and the new UEFI. I've always used the old BIOS system, running a full encrypted Debian with the following configuration:
-
An unencrypted boot partition mounted at
/boot
-
All the rest of the space encrypted with LUKS, and with all LVM logical volumes (
/
, swap,/home
) on it.
Everything works well and with no problems. But I was wandering if I want to make a new install from scratch (I don't want to convert stuff) using UEFI, and I have to create the FAT32 EFI partition mounted at /boot/efi
, do I still need the unencrypted /boot
partition, or just the EFI partition and all the rest encrypted?
In other words, which configuration would be right?
/boot/efi
/boot
- Encrypted LUKS volume
or
/boot/efi
- Encrypted LUKS volume?
Best Answer
Yeah, i know it's a pretty late answer but, better late than never...
I don't know if Debian has the tools to do it, but using Arch Linux you can create a disk layout like this:
/boot/efi
) with grub EFI bootloader, formated fat32 EFI type partitionEF00
. Could be your/dev/sda1
. This partition will only hold grub stub, to ask password to mount your boot partition./boot
) that is a luks crypto device. After crypto unlocking this partition, you can format it using any filesystem that grub supports to but(ext4 for example). This will be your/dev/sda2
/dev/sda3
.Borrowing from Arch Wiki, this is how your disk layout will looks like:
Caveats:
/boot
, initial ram disk will ask for a password AGAIN(cause for him,/boot
is locked), and probably while mounting yourroot
partition this will happen once more. The trick here is to use a master key inside your/boot
(and maybe inside your initrd with theFILES=
option ofmkinitcpio
and add it withluksAddKey
. Your boot partition is encrypted so, there is no need to be worried cause the key is inside an encrypted partition.chmod 000 keyfile.bin
is your friend.encrypt lvm2
tomkinitcpio
hooks.grub-efi
package update.Further Reading:
After some research about the need of keeping boot partition outside lvm(as far as i know, grub-pc/bios had
lvm
andluks
modules) i found this guy on Arch Forums confirming that there is no need to keep/boot
on a spare crypto partition.You can install grub on your
ESP
, and also tell it to read the configuration files from esp like this:after that, regenerate conf:
And, it seems that
grub
is the only bootloader that have support to boot lvm+crypto without a separated /boot partition.