From: Andrei Borzenkov <arvidjaar@gmail.com>
To: Chris Murphy <lists@colorremedies.com>,
Justin Brown <justin.brown@fandingo.org>
Cc: "B. S." <bs27975@gmail.com>, linux-btrfs <linux-btrfs@vger.kernel.org>
Subject: Re: Pointers to mirroring partitions (w/ encryption?) help?
Date: Sun, 5 Jun 2016 00:07:49 +0300 [thread overview]
Message-ID: <57534325.9070309@gmail.com> (raw)
In-Reply-To: <CAJCQCtQUBsB-w7TrSAd=+t+E=6aqyPmcUrmMWyd6sg6BuJsS4Q@mail.gmail.com>
04.06.2016 22:05, Chris Murphy пишет:
...
>>
>> Yeah, when it comes to FDE, you either have to make your peace with
>> trusting the manufacturer, or you can't. If you are going to boot your
>> system with a traditional boot loader, an unencrypted partition is
>> mandatory.
>
> /boot can be encrypted, GRUB supports this, but I'm unaware of any
> installer that does.
openSUSE supports installation on LUKS encrypted /boot. Installer has
some historical limitations regarding how encrypted container can be
setup, but bootloader part should be OK (including secure boot support).
> The ESP can't be encrypted.
>
It should be possible if you use hardware encryption (SED).
> http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/
>
> It's vaguely possible for the SED variety of drive to support fully
> encrypted everything, including the ESP. The problem is we don't have
> OPAL support on Linux at all anywhere. And for some inexplicable
> reason, the TCG hasn't commissioned a free UEFI application for
> managing the keys and unlocking the drive in the preboot environment.
> For now, it seems, such support has to already be in the firmware.
>
prev parent reply other threads:[~2016-06-04 21:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-03 20:30 Pointers to mirroring partitions (w/ encryption?) help? B. S.
2016-06-04 1:39 ` Justin Brown
2016-06-04 5:33 ` B. S.
2016-06-04 7:46 ` Andrei Borzenkov
2016-06-04 17:31 ` B. S.
2016-06-04 21:14 ` Andrei Borzenkov
2016-06-04 19:05 ` Chris Murphy
2016-06-04 21:07 ` Andrei Borzenkov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57534325.9070309@gmail.com \
--to=arvidjaar@gmail.com \
--cc=bs27975@gmail.com \
--cc=justin.brown@fandingo.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=lists@colorremedies.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.