|
Encryption with multiboot and one boot partition
Hello,
I'm trying to get a fully encrypted system with several linux partitions. I use one big encrypted (luks) partition which I divide into several smaller with LVM but I still need to set the boot folder on a non-encrypted partition. So my question is : is there a way to have only one boot partition instead of one for each system ? Thank you |
I don't see why not, as long as all of the kernels and initrds have unique names, are referred to in your bootloader and all have the capability of opening up the LUKS container and mounting their unique partition.
You will probably need to do a bit of manual editing for each initrd so that it mounts the correct partition as root, and I would think the biggest hurdle would be the semi-automatic installers of most distros, which might not be friendly to an unusual setup. Your English is perfect. |
Hum why not. But there is no risk of conlict ?
Like I think debian and ubuntu use the same kind of name for their kernels. Or I was thinking, is it possible to use subfolders ? So my /boot folder would be something like : Code:
/something like Code:
menuentry "Arch Linux" {But anyway why exactly do I need to have the boot folder on an non-encrypted partition ? Is it just to load the module to decrypt the partition or I really need the kernel to be available ? And yes your are right, I've to fight against the installer sometime. I'm using maybe my 5th virtual machine :D Thanks for the English, I prefer warm if I use unusual formulations sometimes ;) |
You may have an issue if you install a new distro and accidentally opt to format your old /boot partition.
Another possible problem I can see is if one distro uses a patched kernel, but only if the filenames for the kernel and initrd files are identical. Sharing the /boot partition, make sure you use a larger /boot partition. Maybe 500 MB or 1 GB to make room for the extra kernels and leave room for kernel security updates depending on how many distro's you will be installing. Another option is to install /boot on the root partition of each distro, and then modify menu.lst and /etc/fstab of each distro to reference the unencrypted boot partition, copying needed files to it and cutting and pasting the stanza for the new distro to the old menu.lst file. Then if something goes wrong installing Distro D, you have the files and configuration settings for the other distro's still present. Make sure you backup the MBR of the /boot partition, as well as the "fstab -l" and "fstab -lu" results. Use pvdisplay and lvdisplay to track your physical and logical volumes as well. I've used cryptsetup for a partition, but never on an lvm volume before partition. I don't see that being a problem. One big advantage doing it this way is that you don't need to enter a passphrase for each encrypted partition. You could have a problem trying to install an older distro. The luks versions may not be compatible. |
Thank you I'll try this way
|
Quote:
Quote:
jschiwal's suggestion is much cleaner, and will probably keep you out of trouble. On the subject of the passphrase, you can setup your initrd to read a keyfile from a removable device such as a USB key that you mount and unmount just for that purpose... but it takes some manual editing of the initrd, which would be lost with an upgrade. It all depends on what you want. |
Thank you but I'm not looking for the perfect encryption (I read also a tutorial where the full /boot folder is on a USB key to avoid modifications).
Encrypt only /home folder would have been enough for me if I didn't have the problem with the shared partition for my data (the configuration files, profiles,... are on the system partition but my documents, music,... are on a specific partition I share between each system) |
| All times are GMT -5. The time now is 12:43 PM. |