I would like to know if there is a way to encrypt a linux system which does not require a small unencrypted /boot partition.
In addition I would like to know if encryption can be implemented on an existing unencrypted system in such a manner that it will encrypt "on the fly" whilst a user is using the system. Thus requiring no re-install of the OS.
Right now the solution I use for linux is luks. I typically re-install the OS (backing up and restoring any data that needs to be kept) create a small /boot partition to boot from and all other partitions are encrypted, including swap. I use either kickstart for redhat or preseeding for debian based systems. The install, either encrypted or not is fully automated.
I understand for all practical purposes this encryption method is safe and there is no way (unless the password is actually saved there or something similarly stupid) to find information on how to decrypt the partitions using the small unencrypted /boot partition, as opposed to having an unencrypted swap partition which could potentially reveal data to help decrypt a partition. The reason I am looking into a solution like this is more practical.
I assume something like this would need to be started from the disk's boot block (mbr or otherwsise), or possibly chainloaded. It probably requires some functionality added to the bootloader, grub for example, to prompt for a password and use it to open the partitions so those can be read.
I did some research trying to find solutions, but I have not yet found one that works, or even if it may work, it's not practical at all (especially with a 100+ user base).
No comments:
Post a Comment