Full disk encryption on GPT on BIOS problems - Ask Ubuntu


how encrypt data on hard drive (including /boot , 1mb bios boot partition)? how create grub bootable bios partition encryption? hdd empty now. cannot use laptop now.

you cannot encrypt bios boot partition; boot process on bios-based computer uses grub boot ubuntu (or other linux) goes this:

  1. cpu powers on , executes bios code, not understand encryption.
  2. bios reads first sector (mbr) of hard disk, necesarily unencrypted.
  3. the mbr code, tiny, reads more extensive boot loader code stored elsewhere -- in bios boot partition in case of grub on gpt disk.
  4. grub reads configuration file, /boot/grub/grub.cfg. may load additional code modules stored in /boot/grub.
  5. grub reads kernel , initial ram disk (initrd) file, executes kernel.
  6. the kernel runs startup scripts in initrd.
  7. the main filesystem mounted , further startup processes controlled there.

because bios doesn't support encryption, mbr cannot encrypted. in theory, mbr include encryption code, , bios boot partition encrypted; however, in practice impractical, perhaps in extreme, because mbr boot code total of 440 bytes in size (446 bytes if stretch definitions bit). note that's bytes, not kib, mib, or other value. grub uses bios boot partition because 440 bytes inadequate more direct boot process on bigger location; cramming encryption software space hurdle that's beyond realm of practical (and maybe totally impossible).

thus, earliest point @ encryption practical possibility after bios boot partition read, , in fact, grub support reading encrypted filesystems, linux kernel can stored on encrypted filesystem. (at least, that's hear; i've never tried myself.)

note encrypting bios boot partition give limited or no additional privacy protections. bulk of goes there open source software. may tweaked , customized particular system, that's identify partition holds linux root (/) or /boot filesystem, , perhaps include drivers needed on particular computer. afaik, there no passwords, usernames, or other sensitive data in bios boot partition. if possible, encrypting bios boot partition might make harder malware take on -- in scenario, malware merely need adjust mbr redirect boot process own code, or re-write bios boot partition using own encryption keys.

that said, in theory whole disk could encrypted if disk itself, or controller it's attached, supported feature. require disk or controller encryption , decryption, "beneath" level of bios. i'm not sure offhand how password delivered disk connected standard controller, if had plug-in card encrypted disk controller, interface regular bios, , therefore prompt password @ boot time. os, disk normal unencrypted disk. vaguely recall hearing such solutions, i've never looked them, , don't know if such hardware readily available today. (i might remembering claims vaporware.)

note efi/uefi works differently bios; afaik, efi/uefi not support encrypting 100% of disk -- boot loader must still reside on unencrypted efi system partition (esp). efi lot bigger , more complex bios, though, may unaware of obscure feature, , may easier add such support efi specification in future. if you're interested in encrypting bios boot partition way prevent tampering malware, though, secure boot feature of modern uefis intended tackle problem. signing first boot code read disk , providing chain of signing through os, secure boot (theoretically) prevents tampering.


Comments

Post a Comment

Popular posts from this blog

download - Firefox cannot save files (most of the time), how to solve? - Super User

this not full duplicate of this question or this question , though base question same. however, questions have no answers. for on half year have problems downloading files firefox. when click on download link, download dialog opened asking me do, save or open it. immediately, there error/warning pop-up (twice, can see 1 @ first) ok button. looks this message : "c:\users\%user%\appdata\local\temp\wbbdv9k8.zip.part not saved because source file not read. try again later or contact server administrator." replace '%user%' name of user trying download. after closing pop-up, download dialog disappears , have minimize firefox , open again, see other pop-up. downloading exact same file internet explorer work, not desired. i tried solutions here . tried solutions here . tried disabling extensions. tried fixing permissions on temp folder. tried making files , folder in profile directory non-readonly. tried running firefox administrator. tried
Read more

windows - "-2146893807 NTE_NOT_FOUND" when repair certificate store - Super User

i try repair certificate store in windows 10 doing c:\windows\system32>certutil -store -user ‎330000019dba8d5dddb98062a900000000019d "personal" certutil: -store command failed: 0x80090011 (-2146893807 nte_not_found) certutil: object not found. i have double check mmc, certificate details serial number of certificate. still fail repair certificate store. can please help? i getting same error when trying export pfx. turns out had export c:\cert.pfx instead of cert.pfx (it trying export file cert store ( cert:\localmachine\my ).
Read more

sql server - "Configuration file does not exist", Event ID 274 - Super User

sql server 2014 standard in server 2012 r2 i installed sql server 2014 in drive d: i following error: microsoft ssis service: registry setting specifying configuration file not exist. attempting load default config file. simply add c:\program files\microsoft sql server\1?0\dts\binn\msdtssrvr.ini.xml to default reg_sz value in: hkey_local_machine\software\microsoft\microsoft sql server\1?0\ssis\serviceconfigfile where ? replaced matching sql server version
Read more