Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen:
> On 04.09.2012 15:48, "Roland Häder" wrote:
>> I think I made a (tollerateable) mistake:
> 
>> My hard drive has two partitions: - sda1 - encrypted swap - sda2 -
>> encrypted root
> 
>> How should it boot? One way could be by external media (e.g.
>> stick), other is from hard drive. But that is encrypted. So I must
>> leave a small area left for kernel, initrd, System.map and maybe
>> config.
> 
>> So the page at [1] is a little wrong because it misses the boot
>> partition, so the new layout should be: - sda1 - unencrypted boot
>> (/boot) partition - sda2 - encrypted swap (at least as double as
>> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root)
> 
>> Can someone update this?
> 
>> Regards, Roland
> 
>> [1]: http://wiki.gentoo.org/wiki/DM-Crypt
> 
> 
> In theory grub2 is able to open a luks-encrypted volume though it
> seems to have some disadvantages: you'll need to enter the passphrase
> (or pass the keyfile) two times, because grub itself needs to decrypt
> the volume to get the later stages from the encrypted volume and
> afterwards the decryption in the bootprocess itself takes place.
> 
> I can't give any real advice about it though, because I use an
> unencrypted boot partition. Depending on your needs it could be an
> increase of security, because you can stop an attacker from injecting
> malicious code into your kernel (or replace it completely).
> 
> WKR
> Hinnerk


For personal use, I see no point in using an encrypted boot partition.
An attacker needs physical or root access to change the kernel or initrd
in order to get to your encrypted data. In both cases, you are hosed
anyway (keyloggers, etc.).

Encrypting everything except the boot partition still protects you
against theft, seizure and so on (as long as you sanitize the device
when you get it back). Secure Boot would help further but let's not
re-iterate that particular flame/FUD war.

Regards,
Florian Philipp