On Sat 26 May 2018 at 16:51:56 (+0000), Curt wrote: > On 2018-05-26, Robert Dodier <robert.dod...@gmail.com> wrote: > > On Sat, May 26, 2018 at 1:16 AM, Pascal Hambourg <pas...@plouf.fr.eu.org> > > wrote: > > > >> I don't know how Symantec's "full" disk encryption works, but AFAIK a boot > >> disk cannot be fully encrypted, > > > > Yes, this is an important question -- what, exactly, is provided by > > Symantec here, so that I can look for something to do the same for > > Linux. But not surprisingly I haven't been able to find a careful > > description -- so far all I have found is some marketing material. I > > will keep looking. > > They seem to be saying the boot loader is decrypted prior to the point > at which it begins execution (a "pre-boot environment" is installed that > prompts the user for pass phrase, etc.) > > > https://www.symantec.com/content/en/us/enterprise/white_papers/b-pgp_how_wholedisk_encryption_works_WP_21158817.en-us.pdf
which says: "A boot sequence executes during the startup process of Microsoft® Windows, Apple Mac OS X, or Linux® operating systems. The boot system is the initial set of operations that the computer performs when it is switched on. A boot loader (or a bootstrap loader) is a short computer program that loads the main operating system for the computer. The boot loader first looks at a boot record or partition table, which is the logical area “zero” (or starting point) of the disk drive. Whole disk encryption modifies the zero point area of the drive. A computer protected with Whole Disk Encryption presents a modified “pre-boot” environment (Figure 1) to the user." To me, that implies that what they call the "boot[strap] loader" is the unencrypted firmware, and that the "logical area “zero” (or starting point)" is the MBR. It says that the MBR has been "modified", but I don't see where it says that the boot loader has been, nor how any of the early code can have been *encrypted* until enough has been executed to read and act upon a passphrase. Cheers, David.