Re: Possible for full-disk encryption to encrypt /boot as well?

To: debian-user@lists.debian.org
Subject: Re: Possible for full-disk encryption to encrypt /boot as well?
From: David Wright <deblis@lionunicorn.co.uk>
Date: Sat, 26 May 2018 14:02:28 -0500
Message-id: <[🔎] 20180526190228.GB13043@alum>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] slrnpgj49g.5v6.curty@einstein.electron.org>
References: <[🔎] CAAsY_sT=g9V7P+3hf-6xRq1T1peZGOA=xap55f-+7cPnzfVSqA@mail.gmail.com> <[🔎] 577ef4f8-e2dc-0515-f4f9-eb79e1d1b936@plouf.fr.eu.org> <[🔎] CAAsY_sQ63mpt=i_9Cj0e_N8xMUjY-FSe7KbLynruesj+Mf0Mkg@mail.gmail.com> <[🔎] d5fc6695-b3ad-6a85-a308-30eaa4697eec@plouf.fr.eu.org> <[🔎] CAAsY_sT40nm0KrPhMg=fM+EZ2Rm7MWiNcB6j0CAObdQRvZzNwg@mail.gmail.com> <[🔎] slrnpgj49g.5v6.curty@einstein.electron.org>

On Sat 26 May 2018 at 16:51:56 (+0000), Curt wrote:
> On 2018-05-26, Robert Dodier <robert.dodier@gmail.com> wrote:
> > On Sat, May 26, 2018 at 1:16 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> >
> >> I don't know how Symantec's "full" disk encryption works, but AFAIK a boot
> >> disk cannot be fully encrypted,
> >
> > Yes, this is an important question -- what, exactly, is provided by
> > Symantec here, so that I can look for something to do the same for
> > Linux. But not surprisingly I haven't been able to find a careful
> > description -- so far all I have found is some marketing material. I
> > will keep looking.
> 
> They seem to be saying the boot loader is decrypted prior to the point
> at which it begins execution (a "pre-boot environment" is installed that
> prompts the user for pass phrase, etc.)
> 
>  https://www.symantec.com/content/en/us/enterprise/white_papers/b-pgp_how_wholedisk_encryption_works_WP_21158817.en-us.pdf

which says:

  "A boot sequence executes during the startup process of Microsoft®
  Windows, Apple Mac OS X, or Linux® operating systems. The boot
  system is the initial set of operations that the computer performs
  when it is switched on. A boot loader (or a bootstrap loader) is a
  short computer program that loads the main operating system for the
  computer. The boot loader first looks at a boot record or partition
  table, which is the logical area “zero” (or starting point) of the
  disk drive.

  Whole disk encryption modifies the zero point area of the drive.
  A computer protected with Whole Disk Encryption presents a modified
  “pre-boot” environment (Figure 1) to the user."

To me, that implies that what they call the "boot[strap] loader" is
the unencrypted firmware, and that the "logical area “zero” (or
starting point)" is the MBR. It says that the MBR has been "modified",
but I don't see where it says that the boot loader has been, nor how
any of the early code can have been *encrypted* until enough has been
executed to read and act upon a passphrase.

Cheers,
David.

Reply to:

References:
- Possible for full-disk encryption to encrypt /boot as well?
  - From: Robert Dodier <robert.dodier@gmail.com>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: Robert Dodier <robert.dodier@gmail.com>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: Robert Dodier <robert.dodier@gmail.com>
- Re: Possible for full-disk encryption to encrypt /boot as well?
  - From: Curt <curty@free.fr>

Prev by Date: Re: Cannot delete files
Next by Date: Re: Update on my update problem with gnome system.
Previous by thread: Re: Possible for full-disk encryption to encrypt /boot as well?
Next by thread: Re: Possible for full-disk encryption to encrypt /boot as well?
Index(es):
- Date
- Thread