Linux – Boot Loaders Supporting Full Disk Encryption

encryptionlinux

Are there any Linux boot loaders supporting full disk encryption (a la TrueCrypt). I know there was work towards adding encryption support to GRUB2, but this does not seem to be ready yet. Any other options?

(Note that I am really referring to full disk encryption here—including /boot)

Most of the answers describe a setup where /boot is not encrypted, and some of them try to explain why an unencrypted /boot should be OK.

Without getting into a discussion on why I actually need /boot to be encrypted, here is an article that describes exactly what I need, based on a modified version of GRUB2:

http://xercestech.com/full-system-encryption-for-linux.geek

The problem with this is that these modifications apparently are not supported in the current GRUB2 codebase (or maybe I am overlooking something).

Best Answer

I think the current version of GRUB2 does not have support for loading and decrypting LUKS partitions by itself (it contains some ciphers but I think they are used only for its password support). I cannot check the experimental development branch, but there are some hints in the GRUB page that some work is planned to implement what you want to do.

Update (2015): the latest version of GRUB2 (2.00) already includes code to access LUKS and GELI encrypted partitions. (The xercestch.com link the OP provided mention the first patches for that, but they are now integrated in the latest release).

However, if you are trying to encrypt the whole disk for security reasons, please note that an unencrypted boot loader (like TrueCrypt, BitLocker or a modified GRUB) offers no more protection than an unencrypted /boot partition (as noted by JV in a comment above). Anybody with physical access to the computer can just as easily replace it with a custom version. That is even mentioned in the article at xercestech.com you linked:

To be clear, this does not in any way make your system less vulnerable to offline attack, if an attacker were to replace your bootloader with their own, or redirect the boot process to boot their own code, your system can still be compromised.

Note that all software-based products for full disk encryption have this weakness, no matter if they use an unencrypted boot loader or an unencrypted boot/preboot partition. Even products with support for TPM (Trusted Platform Module) chips, like BitLocker, can be rooted without modifying the hardware.

A better approach would be to:

decrypt at the BIOS level (in motherboard or disk adapter or external hardware [smartcard], with or without a TPM chip), or
carry the PBA (preboot authorization) code (the /boot partition in this case) in a removable device (like a smartcard or an USB stick).

To do it the second way, you can check the Linux Full Disk Encryption (LFDE) project at: http://lfde.org/ which provides a post-install script to move the /boot partition to an external USB drive, encrypting the key with GPG and storing it in the USB too. In that way, the weaker part of the boot pathway (the non-encrypted /boot partition) is always with you (you will be the only one with physical access to the decrypting code AND the key). (Note: this site has been lost and the author's blog also disappeared, however you can find the old files at https://github.com/mv-code/lfde just note the last development was done 6 years ago). As a lighter alternative, you can install the unencrypted boot partition in an USB stick while installing your OS.

Regards, MV

Best Answer

Related Solutions

Debian – Full disk encryption with password-less authentication in Linux

How does pre-boot authentication with disk encryption work technically

Related Question