Full disk encryption on GPT on BIOS problems - Ask Ubuntu
how encrypt data on hard drive (including /boot , 1mb bios boot partition)? how create grub bootable bios partition encryption? hdd empty now. cannot use laptop now.
you cannot encrypt bios boot partition; boot process on bios-based computer uses grub boot ubuntu (or other linux) goes this:
- cpu powers on , executes bios code, not understand encryption.
- bios reads first sector (mbr) of hard disk, necesarily unencrypted.
- the mbr code, tiny, reads more extensive boot loader code stored elsewhere -- in bios boot partition in case of grub on gpt disk.
- grub reads configuration file,
/boot/grub/grub.cfg
. may load additional code modules stored in/boot/grub
. - grub reads kernel , initial ram disk (initrd) file, executes kernel.
- the kernel runs startup scripts in initrd.
- the main filesystem mounted , further startup processes controlled there.
because bios doesn't support encryption, mbr cannot encrypted. in theory, mbr include encryption code, , bios boot partition encrypted; however, in practice impractical, perhaps in extreme, because mbr boot code total of 440 bytes in size (446 bytes if stretch definitions bit). note that's bytes, not kib, mib, or other value. grub uses bios boot partition because 440 bytes inadequate more direct boot process on bigger location; cramming encryption software space hurdle that's beyond realm of practical (and maybe totally impossible).
thus, earliest point @ encryption practical possibility after bios boot partition read, , in fact, grub support reading encrypted filesystems, linux kernel can stored on encrypted filesystem. (at least, that's hear; i've never tried myself.)
note encrypting bios boot partition give limited or no additional privacy protections. bulk of goes there open source software. may tweaked , customized particular system, that's identify partition holds linux root (/
) or /boot
filesystem, , perhaps include drivers needed on particular computer. afaik, there no passwords, usernames, or other sensitive data in bios boot partition. if possible, encrypting bios boot partition might make harder malware take on -- in scenario, malware merely need adjust mbr redirect boot process own code, or re-write bios boot partition using own encryption keys.
that said, in theory whole disk could encrypted if disk itself, or controller it's attached, supported feature. require disk or controller encryption , decryption, "beneath" level of bios. i'm not sure offhand how password delivered disk connected standard controller, if had plug-in card encrypted disk controller, interface regular bios, , therefore prompt password @ boot time. os, disk normal unencrypted disk. vaguely recall hearing such solutions, i've never looked them, , don't know if such hardware readily available today. (i might remembering claims vaporware.)
note efi/uefi works differently bios; afaik, efi/uefi not support encrypting 100% of disk -- boot loader must still reside on unencrypted efi system partition (esp). efi lot bigger , more complex bios, though, may unaware of obscure feature, , may easier add such support efi specification in future. if you're interested in encrypting bios boot partition way prevent tampering malware, though, secure boot feature of modern uefis intended tackle problem. signing first boot code read disk , providing chain of signing through os, secure boot (theoretically) prevents tampering.
Comments
Post a Comment