I just tried to set up Debian in a VM (just testing, before installing it on a real system).
I have set up 4 drives in total. 2 drives that simulate pen drives, on which I want to install the boot loader and boot file system later, and another 2 drives. Every drive is configured as encrypted RAID1 (md0_crypt and md1_crypt). However, I can't put the boot filesystem on my md0_crypt, because I get the warning that one cannot store the /boot FS on an encrypted partition, because it needs to load the kernel and initrd.
So, do I stand correctly that I cannot encrypt my /boot FS? Is the boot FS only for the boot loader (grub) or is there anything else? I would like to have the scenario that if I unplug my pen drive that the system can't be started anymore, since the /boot FS is installed on the pen drive.
Best Answer
As the message describes you can't put
/bootin an encryption container. For unlocking the encryption container you need to access some utilities. If these utilities are inside the encryption container you are in a deadlock situation.As a work-around use a unencrypted small 3rd raid container holding only the
/bootfile system.From the security perspective this isn't a big loss. The
/bootshould only contain technical data. There is a small caveat: If you use a password for GRUB, it should be different from the pass-phrase for the encryption container.