Encrypting /boot is in fact feasible

[jaroslawr]

The guide says:

The /boot partition will always remain unencrypted, as the bootloader needs to be able to actually boot the kernel before invoking LUKS/dm-crypt. The kernel image itself should be protected against tampering with a cryptographic signature checked by SecureBoot.

However, it is fully possible to put /boot on encrypted partition, as described in: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

[zaolin]

Yep, that's possible by building grub2 with cryptsetup support. The smarter solution is to enable lvm support in grub and using the boot partition as logical volume so that the whole partition in one cryptsetup volume which encloses the lvm physical volume.

If shim protects the grub2 efi module it should be also possible to establish a secure boot. But keep in mind you have to enter a password two times because of grub2 which can't pass the key to the linux kernel.

Regards Zaolin

[ilkkajylha]

There is no need to enter password two times, if you are using keyfile. The encrypt hook can take the file specified in the cryptkey kernel parameter and use it to unlock the cryptdevice.

http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/