Linux GUI full disk encryption including /boot




im using Windows OS and i wish to switch to Linux with GUI, i dont have any distribution in mind (i know Ubuntu has huge community, so maybe xubuntu). Before i do the Win/Linux switch, i want to ask for a link to tutorial or advice regarding HDD encryption.

Im looking for quick & secure way to encrypt whole filesystem (including /boot) so i have peace of mind that nobody will read any data. I also want easy of use, im linux noob in command line so i prefer GUI tool. Can you please give an advice on solution?


You really can't have /boot encrypted. Grub needs to have access to the partition before the OS boots.

Linux will setup a LUKS (Linux Unified Key Setup) encrypted linear logical volume. Both are container/abstraction layers so boot files need to be outside of the containers in oder to be read.

No one can gain any information from your /boot partition and your root filesystem cannot be accessed without first opening the LUKS container and then assembling the physical device, volume group and logical volumes.
WharfRat: yes, thank you for nice explanation, only problem is i think if some hacker access my computer physically, modiffy grub to somehow login my credentials (here is explained how)
I've seen that before.

It assumes that you have lost or were rendered unconscious somehow leaving a terminal open after entering sudo -i or su - to gain escalated privileges at which time this evil individual gets the initrd.img file from the boot partition, extracts it, copies root/sbin/cryptsetup to initrd/sbin/cryptsetup, copies root/initramfs-tools/scripts/* to initrd/scripts/, and then recompress the initrd.img file and replaces it.

Then you are revived to reboot and enter your password so the new plaintext file can be saved in /boot/.cryptopass and you have no idea that anything fishy just happened. Oh yea and the file hasn't been viewed yet.

Sounds like a mission impossible plot to me.

If someone infiltrated your residence and demanded your computer's LUKS password at gunpoint I suspect you would probably quickly oblige.

What the author wrote is very possible, but lets get real here.

If you suspect a linux guru friend would do that to you I would suggest new friends ;)

Staff online