On Tue, Dec 26, 2017 at 12:10:52PM +0100, Pascal Hambourg wrote:
Le 26/12/2017 à 11:36, tomas@tuxteam.de a écrit :
Is there any inherent advantage to having /boot encrypted?
I can imagine a few situations.
- When you can enforce the early stage of GRUB integrity by storing
it on removable or read-only boot media, checking it with trusted
computing, TPM...
You could extend this to the whole /boot directory contents instead
of encrypting it but parts of it such as the kernel image, initramfs
and grub.cfg change quite often, while GRUB itself seldom changes.
An alternative to /boot encryption is to sign its contents so that
GRUB early stage can check the files when loading them.
- When you need to store sensitive data in /boot, such as
passphrases for other encrypted volumes.
In the days you measure (small) external media in gigabytes, this
argument has lost a lot of push.