Re: GRUB and boot partition

To: debian-user@lists.debian.org
Subject: Re: GRUB and boot partition
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Tue, 26 Dec 2017 12:10:52 +0100
Message-id: <[🔎] 280a84d7-c7a6-201a-c5fe-c815dc637804@plouf.fr.eu.org>
In-reply-to: <[🔎] 20171226103613.GA7637@tuxteam.de>
References: <[🔎] MWHPR02MB246334A255DD8C77ADA51B52D4060@MWHPR02MB2463.namprd02.prod.outlook.com> <[🔎] 61013da8-51e8-ca3d-66c3-84dae9948a88@plouf.fr.eu.org> <[🔎] 20171226103613.GA7637@tuxteam.de>

Le 26/12/2017 à 11:36, tomas@tuxteam.de a écrit :


On Tue, Dec 26, 2017 at 10:42:46AM +0100, Pascal Hambourg wrote:

Note however that in any case, the early part of GRUB cannot be
encrypted [...]


Is there any inherent advantage to having /boot encrypted?


I can imagine a few situations.

- When you can enforce the early stage of GRUB integrity by storing iton removable or read-only boot media, checking it with trustedcomputing, TPM...You could extend this to the whole /boot directory contents instead ofencrypting it but parts of it such as the kernel image, initramfs andgrub.cfg change quite often, while GRUB itself seldom changes. Analternative to /boot encryption is to sign its contents so that GRUBearly stage can check the files when loading them.

- When you need to store sensitive data in /boot, such as passphrasesfor other encrypted volumes.

Reply to:

Follow-Ups:
- Re: GRUB and boot partition
  - From: <tomas@tuxteam.de>

References:
- GRUB and boot partition
  - From: microsoft gaofei <wangziheng@outlook.com>
- Re: GRUB and boot partition
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: GRUB and boot partition
  - From: <tomas@tuxteam.de>

Prev by Date: Re: Mixing and Matching DHCP and static IPs
Next by Date: Re: GRUB and boot partition
Previous by thread: Re: GRUB and boot partition
Next by thread: Re: GRUB and boot partition
Index(es):
- Date
- Thread