Re: Possible for full-disk encryption to encrypt /boot as well?
On Sat 26 May 2018 at 16:51:56 (+0000), Curt wrote:
> On 2018-05-26, Robert Dodier <robert.dodier@gmail.com> wrote:
> > On Sat, May 26, 2018 at 1:16 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> >
> >> I don't know how Symantec's "full" disk encryption works, but AFAIK a boot
> >> disk cannot be fully encrypted,
> >
> > Yes, this is an important question -- what, exactly, is provided by
> > Symantec here, so that I can look for something to do the same for
> > Linux. But not surprisingly I haven't been able to find a careful
> > description -- so far all I have found is some marketing material. I
> > will keep looking.
>
> They seem to be saying the boot loader is decrypted prior to the point
> at which it begins execution (a "pre-boot environment" is installed that
> prompts the user for pass phrase, etc.)
>
> https://www.symantec.com/content/en/us/enterprise/white_papers/b-pgp_how_wholedisk_encryption_works_WP_21158817.en-us.pdf
which says:
"A boot sequence executes during the startup process of Microsoft®
Windows, Apple Mac OS X, or Linux® operating systems. The boot
system is the initial set of operations that the computer performs
when it is switched on. A boot loader (or a bootstrap loader) is a
short computer program that loads the main operating system for the
computer. The boot loader first looks at a boot record or partition
table, which is the logical area “zero” (or starting point) of the
disk drive.
Whole disk encryption modifies the zero point area of the drive.
A computer protected with Whole Disk Encryption presents a modified
“pre-boot” environment (Figure 1) to the user."
To me, that implies that what they call the "boot[strap] loader" is
the unencrypted firmware, and that the "logical area “zero” (or
starting point)" is the MBR. It says that the MBR has been "modified",
but I don't see where it says that the boot loader has been, nor how
any of the early code can have been *encrypted* until enough has been
executed to read and act upon a passphrase.
Cheers,
David.
Reply to: