From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IFn_yvMh-_3 for ; Tue, 19 Nov 2013 04:49:15 +0100 (CET) Received: from mail.ramses-pyramidenbau.de (ramses-pyramidenbau.de [IPv6:2a01:4f8:d15:181::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Tue, 19 Nov 2013 04:49:14 +0100 (CET) Received: from [172.16.2.20] (95-91-235-178-dynip.superkabel.de [95.91.235.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.ramses-pyramidenbau.de (Postfix) with ESMTPSA id EC6E8609B4 for ; Tue, 19 Nov 2013 04:42:47 +0100 (CET) Message-ID: <528ADE3F.7010607@ramses-pyramidenbau.de> Date: Tue, 19 Nov 2013 04:42:55 +0100 From: Ralf Ramsauer MIME-Version: 1.0 References: <20131119025246.GA8171@tansi.org> In-Reply-To: <20131119025246.GA8171@tansi.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Subject: Re: [dm-crypt] Integrate cryptsetup in bootloader List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Hi, just an idea, but shouldn't it be possible to implement encryption algorithms incl. LUKS to GRUB? Then GRUB would be able to read the encryption kernel image and a initramfs. The initramfs itself could contain the symmetric Masterkey in order to decrypt the partition afterwards. No further password prompts would be needed. "All" that would be needed is to teach GRUB how to deal with encrypted partitions, what generally should be possible. The one and only parts that would stay unencrypted are the MBR and GRUB's stage2 or the modules. But that leads to the question if it is really necessary to hide your kernel and initrd? Signing your kernel and/or initrd could also prove the integrity and authenticity of your system. Regards, Ralf On 11/19/2013 03:52 AM, Arno Wagner wrote: > Hi, > > this topic crops up from time to time. First, doing this yourself > is hard, hard enough that if you have to ask how to do it, you > will find it severely challenging. > > That said, it has been done by several distros that can be installed > with "full root encryption". (Full disk encryption is not doable with > cryptsetup. That would need BIOS support.) Best get one of the > distros that do it. They usually just pack cryptsetup and its > libaries into the initrd and write some scripts around it. > > One example I use on a laptop is Linux Mint, which will just show > you a box to enter your encrytpion password before booting any futher. > I expect Debian and Ubuntu can do something similar. > > Best recommendation if you want to do something like this yourself > is to analyze the initrd of a distro that has it working and go from > there. > > Arno > > On Tue, Nov 19, 2013 at 03:20:43 CET, Trinh Van Thanh wrote: >> Hi all, >> >> Unencrypted boot partition is not safe for some special requirements. So I >> want to increase the secure level for full disk encryption using dm-crypt. >> Can I integrate cryptsetup in bootloader (example GRUB2) or is there any >> other solutions? >> >> Thanks in advanced, >> >> -- >> ​Trinh Van Thanh​ >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> http://www.saout.de/mailman/listinfo/dm-crypt >