From f87800736e52fdc3f8b3f9e26cf5614a995e6602 Mon Sep 17 00:00:00 2001 From: Konstantin Ryabitsev Date: Mon, 31 Aug 2015 10:05:01 -0400 Subject: [PATCH] Mention encrypting the /boot partition Closes #10 --- linux-workstation-security.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/linux-workstation-security.md b/linux-workstation-security.md index b43796d..e1038f0 100644 --- a/linux-workstation-security.md +++ b/linux-workstation-security.md @@ -234,13 +234,14 @@ which is likely to contain a slew of sensitive data. The recommended encryption strategy is to encrypt the LVM device, so only one passphrase is required during the boot process. -The `/boot` partition will always remain unencrypted, as the bootloader needs -to be able to actually boot the kernel before invoking LUKS/dm-crypt. The -kernel image itself should be protected against tampering with a cryptographic -signature checked by SecureBoot. - -In other words, `/boot` should always be the only unencrypted partition on your -system. +The `/boot` partition will usually remain unencrypted, as the bootloader needs +to be able to boot the kernel itself before invoking LUKS/dm-crypt. Some +distributions support encrypting the `/boot` partition as well (e.g. +[Arch][16]), and it is possible to do the same on other distros, but likely at +the cost of complicating system updates. It is not critical to encrypt +`/boot` if your distro of choice does not natively support it, as the kernel +image itself leaks no private data and will be protected against tampering +with a cryptographic signature checked by SecureBoot. #### Choosing good passphrases @@ -787,4 +788,4 @@ This work is licensed under a [13]: https://www.yubico.com/products/yubikey-hardware/yubikey-neo/ [14]: https://wiki.debian.org/Subkeys [15]: https://github.com/lfit/ssh-gpg-smartcard-config - +[16]: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/