Author Topic: Petite boot and encrypting /boot  (Read 255 times)

Borley

  • Newbie
  • *
  • Posts: 35
  • Karma: +3/-0
    • View Profile
Petite boot and encrypting /boot
« on: July 04, 2020, 04:45:14 pm »
Can Petite boot work with an encrypted /boot directory? I have seen several methods for setting this up but it looks like they go through GRUB. I may not understand this correctly, but doesn't Petite boot stand in for GRUB, when using Raptor systems?

Skirmisher

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Petite boot and encrypting /boot
« Reply #1 on: August 14, 2020, 12:46:26 pm »
Nominally, yes: petitboot can detect LUKS volumes and will prompt the user to unlock them with a password if selected. It then reads the GRUB (or other bootloader) configs stored on the encrypted volume the same as the unencrypted ones, executing the entries itself instead of starting another bootloader. Note that once booted, the host OS still needs to unlock the volume itself (petitboot `kexec`s the installed kernel, so nothing is preserved). Existing FDE guides cover how to include a keyfile in the initrd, to avoid having to input the password a second time.

However, as it stands, none of the Raptor firmware images include the necessary support for unlocking encrypted devices. I believe some of them may include the `cryptsetup` binary, but (I think) there are still missing kernel modules that provide the necessary crypto algorithms. Unfortunately, even upstream op-build doesn't have a functioning config for this either, and no one has done the work to figure out what changes need to be made, as far as I know. I would love to see this working one day, though!