Re: Possible for full-disk encryption to encrypt /boot as well?

[Pascal Hambourg <pascal@plouf.fr.eu.org>]

Le 26/05/2018 à 02:33, Robert Dodier a écrit :
> On Fri, May 25, 2018 at 12:44 PM, Pascal Hambourg
> <pascal@plouf.fr.eu.org> wrote:
>
> > Why do you want an encrypted /boot ? It does not usually contain any
> > sensitive information. Encrypted /boot is not tamper-proof unless extra
> > steps are taken to protect the first stage boot such as booting from
> > write-protected, authenticated or removable media.
>
> Thanks for your reply. I am working for an organization which requires
> computers to be full disk encrypted. They support Windows, but if I
> want to run Linux, I'm on my own. So to be precise I need something
> which is strictly comparable to whatever is provided by Symantec full
> disk encryption for Windows. If I can achieve that, I'll be in
> business.

I don't know how Symantec's "full" disk encryption works, but AFAIK a 
boot disk cannot be fully encrypted, unless the platform firmware can 
handle the encryption format. IIUC Coreboot or Libreboot may do it. 
Otherwise the bootstrap code must not be encrypted so that the platform 
firmware can load and run it. Even if /boot is encrypted, the first 
stage of the boot loader (GRUB boot image and core image if using 
BIOS/legacy boot, the EFI partition if using EFI boot) cannot not be 
encrypted.