Le 25/05/2018 à 20:55, Robert Dodier a écrit :
I'm working with Debian 9. I gather that there is a full-disk encryption option for the standard Debian installer, which, as I understand it, does not include encrypting /boot. (The system I'm working on wasn't encrypted when it was installed, so the system would have to be reinstalled, that's OK.) The only description of encrypting /boot that I was able to find is: https://gist.github.com/ppmathis/ccfbfce86484dc61834c1f17568d7b80 I wonder if there is any simpler approach. Is it possible that, perhaps, other Linux distributions have an option for encrypting /boot? I wasn't able to find any information about that.
I have managed to use the standard Debian installer to install with encrypted /boot (either including or excluding /boot/grub) but it was far from straightforward. I had to perform some steps with the embedded shell. Also, the installer insists that /boot should not be encrypted. Jessie's installer was quite easy to trick (just put /boot on LVM on encrypted volume). But the trick did not work with Stretch's installer, so I had to create a dummy /boot.
It's OK if the answer to these questions is no, I'm just trying to sort out the feasibility of encrypting /boot.
Why do you want an encrypted /boot ? It does not usually contain any sensitive information. Encrypted /boot is not tamper-proof unless extra steps are taken to protect the first stage boot such as booting from write-protected, authenticated or removable media.