Mention encrypting the /boot partition

Closes #10
2024-04-27 09:02:22 +12:00 · 2015-08-31 10:05:01 -04:00 · 2015-08-31 10:05:01 -04:00 · f87800736e
parent 5703c1796e
commit f87800736e
1 changed files with 9 additions and 8 deletions
--- a/linux-workstation-security.md
+++ b/linux-workstation-security.md
@ -234,13 +234,14 @@ which is likely to contain a slew of sensitive data. The recommended
 encryption strategy is to encrypt the LVM device, so only one passphrase is
 required during the boot process.

-The `/boot` partition will always remain unencrypted, as the bootloader needs
-to be able to actually boot the kernel before invoking LUKS/dm-crypt. The
-kernel image itself should be protected against tampering with a cryptographic
-signature checked by SecureBoot.
-
-In other words, `/boot` should always be the only unencrypted partition on your
-system.
+The `/boot` partition will usually remain unencrypted, as the bootloader needs
+to be able to boot the kernel itself before invoking LUKS/dm-crypt. Some
+distributions support encrypting the `/boot` partition as well (e.g.
+[Arch][16]), and it is possible to do the same on other distros, but likely at
+the cost of complicating system updates. It is not critical to encrypt
+`/boot` if your distro of choice does not natively support it, as the kernel
+image itself leaks no private data and will be protected against tampering
+with a cryptographic signature checked by SecureBoot.

 #### Choosing good passphrases

@ -787,4 +788,4 @@ This work is licensed under a
 [13]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
 [14]: https://wiki.debian.org/Subkeys
 [15]: https://github.com/lfit/ssh-gpg-smartcard-config
-
+[16]: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/