Hello, autosend@riseup.net <autosend@riseup.net> (2018-12-17): > I have managed to find a way to trick the Debian installer into > encrypting the /boot partition, so that only the MBR GRUB portion of > the hard drive is unencrypted. > > This means the password must be input twice at boot, but on the plus > side, the Linux kernel lives in /boot, so the system is better > protected. > > Are you interested in how I did this? I have a full step-by-step guide > which I have tried to minimize as much as possible. I was hoping it > could be engineered into a guided installation option. > > Note: it only involved one reboot back into the installer environment. > > Also, I did it with GPT, which is also something that D-I should > support, especially when it comes to encrypted disks (GPT stores a > couple backups of the partition table). This seems like something that we should support at some point, AFAICT grub's cryptodisk support has been around for quite a while, but I've never managed to dive into it. A step by step guide would certainly be helpful to others, and might be a basis for d-i contributors to get involved in implementing this. Thanks for your proposal. Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature