Ubuntu – UEFI Booting With Encrypted /boot On Ubuntu 14.04 LTS


I have managed to get FDE (Full disk Encryption) working quite happily on an MBR/BIOS system using a DOS partition table, I only have /dev/sda1 and /dev/sda2 for the swap and root LUKS containers respectively. This works because as of early 2014, grub2 supports encrypted /boot partitions by natively supporting dm-crypt in the part of the boot loader that gets written into the MBR. All's good.

However with UEFI is the grubx64.efi binary capable of handling dm-crypt/luks containers? I've had no joy in getting this to work. All examples I have seen have either been with /boot encrypted but using MBR/BIOS or /boot unencrypted with UEFI.

I know it's less of an issue with signed kernels and UEFI secure boot, but it still leaves the possibility open for some form of tampering (changing initramfs – or is that signed?, replacing a grub module? etc).

Please note any answers have to apply to 14.04 LTS and not 16.04 etc. If grubx64.efi missed the dm-crypt party for 14.04 then that's fine I can use MBR/BIOS. I'm just trying to find out whether this is actually possible.

Many thanks in advance,


Best Answer

I was wondering if there is any update about the possibility to encrypt boot next to root, using EFI + Secure boot.

I found https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29

But I couldn't adapt the example to fedora 28 (didn't try ubuntu 18.04 so far).