Hi, Is there any encryption support in grub?
I would like to encrypt the boot partition, and let someone type the password into the grub boot screens. So, one would then get: 1) Switch PC on. 2) Type in password 3) Grub Boot menu. The reason to encrypt the boot partition is to make tampering more difficult. One then only has to do integrity assurance on the small grub loader up until the grub boot menu. I know that one method to reach this integrity is to use a read-only USB boot memory stick that contains grub and the Linux kernel images, then only needing the "root" partition to be encrypted. Boot times are quicker if it can read the kernel/initrd images from the HD instead of the USB memory stick. This would also have the advantage that a single usb boot memory stick could then be able to boot different machines, that might have different kernels, using the same usb stick. The usb stick is used to provide the integrity assurance on the small grub loader in the following scenario. 1) User keeps USB stick at all times. The USB stick is set to read only, so cannot be tampered with easily. 2) Laptop may be left un-attended when powered off. 3) User returns to laptop, and uses USB stick to boot it. Summary: Permit grub boot menu to be in LUKS encrypted partition. Kind Regards James _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
