i want to boot an encrypted kernel

[Skaperen]

i want to boot a kernel that is stored on disk encrypted. such a process would need to get a key or pass-phrase to decrypt that kernel. can GRUB2 do this for me?

[CharlesA]

Do you mean that you want to be prompted for your passphrase before the system completes booting?

You are able to run full-disk encryption via LUKS on Ubuntu, but as far as I am aware, you still need to have /boot on an unencrypted disk (I use a thumb drive).

See here:
https://help.ubuntu.com/community/Fu...ion_Howto_2019

[Skaperen]

yes. by whatever mechanism. i'm exploring kexec as a possibility.

[lordgallen]

See here:
https://help.ubuntu.com/community/Fu...ion_Howto_2019

I did this, by following these instructions, which are the best I have ever seen for an Ubuntu tutorial. The question I have now, is why is this not in the default install, that is, Why is /boot , the kernel, and initram fs not encrypted in the default encryption option during install?

[TheFu]

I did this, by following these instructions, which are the best I have ever seen for an Ubuntu tutorial. The question I have now, is why is this not in the default install, that is, Why is /boot , the kernel, and initram fs not encrypted in the default encryption option during install?

I'd bet it isn't the default due to future upgrade issues and the use isn't enough that Canonical thinks putting a paid developer on to solve those upgrade issues for every flavor and release and for dual boot would make financial sense. But I really don't know. Those are just guesses.

[deadflowr]

I did this, by following these instructions, which are the best I have ever seen for an Ubuntu tutorial. The question I have now, is why is this not in the default install, that is, Why is /boot , the kernel, and initram fs not encrypted in the default encryption option during install?

Some discussion on it in this bug report.
https://bugs.launchpad.net/ubuntu/+s...y/+bug/1773457

[lordgallen]

With the above instructions, does grub end up encrypted?

[Skaperen]

With the above instructions, does grub end up encrypted?

No, as far as i can tell. so that means there are some sectors on disk that are not encrypted. so it would not be a full-disk encryption but, instead, would be a logical volume encryption (not sure how this could be expanded very easily while it is in an encrypted state). in my case, it is the 2nd and/or 3rd disk i want to encrypt. i prefer not to have LVM. i just want to allocate all the space and be done with it. unless LUKS depends on LVM, i see no reason to use LVM. so true full-disk encryption seems right for me. that would mean the partition table and/or LVM data would be encrypted.

i'm thinking that the best encryption needs to be in hardware or immutable BIOS. that could get around a lot of software issues like the evil maid substituting an evil bootloader. OTOH, substituted hardware is the next issue. how far do we need to go? do we need to protect against the evil workers of an evil government's evil agency and their clever children?

my latest thought is to hide the encryption and have it behave as a normal laptop ... at least one with Ubuntu on it. no pass phrase prompt.

[TheFu]

LVM isn't required for LUKS, but it is so much more convenient if any changes are needed .... plus snapshots are great for getting clean backups.

If you want a tiny install of some Linux on the side of your encrypted Ubuntu ... check out the ChromiumOS versions. They are like chromebooks, have a guest account, so you can show border agents a working system and fit into 16G of storage last time I checked. Like ChromeOS, ChromiumOS is mounted read-only when in use. Updates go to ROOT-B or ROOT-A partitions, depending on which is not currently in use. At least that's how I think it works. Plus it is very fast for a quick web browser need.

The solution to the evil maid attack will always be to boot from USB storage that never leaves your person when traveling.

I believe there are hardware encrypted HDDs that are tied to the TPM or TPM2 chip inside your computer. This assumes anyone who cares about this level of security would go to the effort to ensure their hardware has a TPM2 chip. I found a number of blog articles with details, but not any known-reputable site (to me) with a how-to.

[lordgallen]

No, as far as i can tell. so that means there are some sectors on disk that are not encrypted. so it would not be a full-disk encryption but, instead, would be a logical volume encryption (not sure how this could be expanded very easily while it is in an encrypted state). in my case, it is the 2nd and/or 3rd disk i want to encrypt. i prefer not to have LVM. i just want to allocate all the space and be done with it. unless LUKS depends on LVM, i see no reason to use LVM. so true full-disk encryption seems right for me. that would mean the partition table and/or LVM data would be encrypted.

i'm thinking that the best encryption needs to be in hardware or immutable BIOS. that could get around a lot of software issues like the evil maid substituting an evil bootloader. OTOH, substituted hardware is the next issue. how far do we need to go? do we need to protect against the evil workers of an evil government's evil agency and their clever children?

my latest thought is to hide the encryption and have it behave as a normal laptop ... at least one with Ubuntu on it. no pass phrase prompt.

This encryption scheme is much better than the default provided by Ubuntu. I try to maintain physical security of my devices. It's the only way to assure an evil made attack does not occur.