Petite boot and encrypting /boot

[Borley]

Can Petite boot work with an encrypted /boot directory? I have seen several methods for setting this up but it looks like they go through GRUB. I may not understand this correctly, but doesn't Petite boot stand in for GRUB, when using Raptor systems?

[Skirmisher]

Nominally, yes: petitboot can detect LUKS volumes and will prompt the user to unlock them with a password if selected. It then reads the GRUB (or other bootloader) configs stored on the encrypted volume the same as the unencrypted ones, executing the entries itself instead of starting another bootloader. Note that once booted, the host OS still needs to unlock the volume itself (petitboot `kexec`s the installed kernel, so nothing is preserved). Existing FDE guides cover how to include a keyfile in the initrd, to avoid having to input the password a second time.

However, as it stands, none of the Raptor firmware images include the necessary support for unlocking encrypted devices. I believe some of them may include the `cryptsetup` binary, but (I think) there are still missing kernel modules that provide the necessary crypto algorithms. Unfortunately, even upstream op-build doesn't have a functioning config for this either, and no one has done the work to figure out what changes need to be made, as far as I know. I would love to see this working one day, though!

[Corvidae]

I know this thread is a bit old, but I figured I'd share how I managed to get cryptsetup working properly in petitboot. It does require custom firmware right now, though.

First, the firmware kernel is missing modules needed for decrypting LUKS volumes. Attached is a patch to add all of the possible cryptography configurations needed to the kernel config, based on blackbird-op-build. If you know the algorithms used for your specific setup, you can trim down some of the algorithms you don't need. You can also run "cryptsetup benchmark" in petitboot to test things - if it says "N/A" instead of a number, it's not working.

Also, I'm not sure if this is true or not, but the cryptsetup version shipped in the current firmware might not support LUKS2 headers - the output of the newer versions mention LUKS2 while the firmware version doesn't. I ended up updating that to the latest version as I thought that might have been the problem before I investigated the kernel config. Another patch is attached for that. There is also a change to point the lvm2 sources to sourceware.org instead of sources.redhat.com, as the latter seems to be down (?). If that's not the case, feel free to remove that as well.

I am a complete novice at using patches for git, so please let me know if I messed something up.

[ClassicHasClass]

Nice work.

[power9mm]

so is there no option for hard drive encryption when installing your OS?

[Corvidae]

so is there no option for hard drive encryption when installing your OS?

You can still encrypt part of your disk without the patched firmware, but you will need to have an unencrypted bootloader (like GRUB), since something needs to decrypt the rest of the drive. Having Petitboot able to decrypt drives makes things a bit simpler and also means the entire drive can be encrypted (and you can even have Petitboot be the bootloader too).

[power9mm]

oh I see. thanks for that clarification. For some reason I assumed it was already capable of doing that. Glad its an option now though. Id rather not use GRUB