Linux GUI full disk encryption including /boot

P

postcd

Guest
Hello,

im using Windows OS and i wish to switch to Linux with GUI, i dont have any distribution in mind (i know Ubuntu has huge community, so maybe xubuntu). Before i do the Win/Linux switch, i want to ask for a link to tutorial or advice regarding HDD encryption.

Im looking for quick & secure way to encrypt whole filesystem (including /boot) so i have peace of mind that nobody will read any data. I also want easy of use, im linux noob in command line so i prefer GUI tool. Can you please give an advice on solution?
 


OP
W

WharfRat

Guest
postcd,

You really can't have /boot encrypted. Grub needs to have access to the partition before the OS boots.

Linux will setup a LUKS (Linux Unified Key Setup) encrypted linear logical volume. Both are container/abstraction layers so boot files need to be outside of the containers in oder to be read.

No one can gain any information from your /boot partition and your root filesystem cannot be accessed without first opening the LUKS container and then assembling the physical device, volume group and logical volumes.
 
OP
P

postcd

Guest
WharfRat: yes, thank you for nice explanation, only problem is i think if some hacker access my computer physically, modiffy grub to somehow login my credentials (here is explained how)
 
OP
W

WharfRat

Guest
I've seen that before.

It assumes that you have lost or were rendered unconscious somehow leaving a terminal open after entering sudo -i or su - to gain escalated privileges at which time this evil individual gets the initrd.img file from the boot partition, extracts it, copies root/sbin/cryptsetup to initrd/sbin/cryptsetup, copies root/initramfs-tools/scripts/* to initrd/scripts/, and then recompress the initrd.img file and replaces it.

Then you are revived to reboot and enter your password so the new plaintext file can be saved in /boot/.cryptopass and you have no idea that anything fishy just happened. Oh yea and the file hasn't been viewed yet.

Sounds like a mission impossible plot to me.

If someone infiltrated your residence and demanded your computer's LUKS password at gunpoint I suspect you would probably quickly oblige.

What the author wrote is very possible, but lets get real here.

If you suspect a linux guru friend would do that to you I would suggest new friends ;)
 
MALIBAL Linux Laptops

Linux Laptops Custom Built for You
MALIBAL is an innovative computer manufacturer that produces high-performance, custom laptops for Linux.

For more info, visit: https://www.malibal.com

Members online


Top