[SOLVED] Encryption with multiboot and one boot partition
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to get a fully encrypted system with several linux partitions.
I use one big encrypted (luks) partition which I divide into several smaller with LVM but I still need to set the boot folder on a non-encrypted partition.
So my question is : is there a way to have only one boot partition instead of one for each system ?
I don't see why not, as long as all of the kernels and initrds have unique names, are referred to in your bootloader and all have the capability of opening up the LUKS container and mounting their unique partition.
You will probably need to do a bit of manual editing for each initrd so that it mounts the correct partition as root, and I would think the biggest hurdle would be the semi-automatic installers of most distros, which might not be friendly to an unusual setup.
Your English is perfect.
Last edited by mostlyharmless; 07-27-2010 at 04:08 PM.
Hum why not. But there is no risk of conlict ?
Like I think debian and ubuntu use the same kind of name for their kernels.
Or I was thinking, is it possible to use subfolders ?
So my /boot folder would be something like :
But then in my grub I've to use only custom entries I guess
something like
Code:
menuentry "Arch Linux" {
insmod ext2
set root='(hd0,7)' # boot partition
echo Loading Linux vmlinuz26 ...
linux /archlinux/vmlinuz26 root=/dev/mapper/vgrp-rootarch ro quiet
initrd /archlinux/kernel26.img
}
but it's when I'll have to update my kernel that I guess the problems will come.
But anyway why exactly do I need to have the boot folder on an non-encrypted partition ? Is it just to load the module to decrypt the partition or I really need the kernel to be available ?
And yes your are right, I've to fight against the installer sometime. I'm using maybe my 5th virtual machine
Thanks for the English, I prefer warm if I use unusual formulations sometimes
You may have an issue if you install a new distro and accidentally opt to format your old /boot partition.
Another possible problem I can see is if one distro uses a patched kernel, but only if the filenames for the kernel and initrd files are identical. Sharing the /boot partition, make sure you use a larger /boot partition. Maybe 500 MB or 1 GB to make room for the extra kernels and leave room for kernel security updates depending on how many distro's you will be installing.
Another option is to install /boot on the root partition of each distro, and then modify menu.lst and /etc/fstab of each distro to reference the unencrypted boot partition, copying needed files to it and cutting and pasting the stanza for the new distro to the old menu.lst file.
Then if something goes wrong installing Distro D, you have the files and configuration settings for the other distro's still present.
Make sure you backup the MBR of the /boot partition, as well as the "fstab -l" and "fstab -lu" results.
Use pvdisplay and lvdisplay to track your physical and logical volumes as well.
I've used cryptsetup for a partition, but never on an lvm volume before partition. I don't see that being a problem. One big advantage doing it this way is that you don't need to enter a passphrase for each encrypted partition.
You could have a problem trying to install an older distro. The luks versions may not be compatible.
But there is no risk of conlict ?
Like I think debian and ubuntu use the same kind of name for their kernels.
Definitely there will be conflict, especially with upgrades if you don't do them manually. and rename the files. Subfolders might be more organized, but the problem would remain.
Quote:
But anyway why exactly do I need to have the boot folder on an non-encrypted partition ? Is it just to load the module to decrypt the partition or I really need the kernel to be available ?
Yes, well you need the kernel to use the module to decrypt...
jschiwal's suggestion is much cleaner, and will probably keep you out of trouble. On the subject of the passphrase, you can setup your initrd to read a keyfile from a removable device such as a USB key that you mount and unmount just for that purpose... but it takes some manual editing of the initrd, which would be lost with an upgrade. It all depends on what you want.
Thank you but I'm not looking for the perfect encryption (I read also a tutorial where the full /boot folder is on a USB key to avoid modifications).
Encrypt only /home folder would have been enough for me if I didn't have the problem with the shared partition for my data (the configuration files, profiles,... are on the system partition but my documents, music,... are on a specific partition I share between each system)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
