[dm-crypt] Integrate cryptsetup in bootloader

Alex Elsayed eternaleye at gmail.com
Wed Nov 20 10:09:11 CET 2013

Christoph Anton Mitterer wrote:

> On Tue, 2013-11-19 at 09:20 +0700, Trinh Van Thanh wrote:
>> Unencrypted boot partition is not safe for some special requirements.
>> So I want to increase the secure level for full disk encryption using
>> dm-crypt. Can I integrate cryptsetup in bootloader (example GRUB2) or
>> is there any other solutions?
> Integrating it in the bootloader doesn't really help you since then the
> bootloader is the weak point.
> In the end you'll always need an unencrypted kernel/initrd/bootloader...
> so what one can do is booting from a USB stick,.. which you have always
> with you... and then have a fully encrypted root-fs.

Integrating with the bootloader isn't a _solution_, but it is a 

If you're using GRUB2 in a traditional (non-EFI) boot configuration, you can 
get away with leaving VERY little space for an attacker to work in. In 
particular, the space before the protective MBR (which is filled by grub's 
core, and not especially useful to tamper with) and the BIOS Boot Partition 
it uses to store the more full image (EF02 in gdisk).

By creating a truly minimal grub image (cryptdisk, your boot filesystem 
driver, the linux loader, maybe a couple other things) in which every part 
is necessary to the boot process, and placing the BBP at the end of the 
disk, you can force the partition to be the exact minimal size that will 
hold that data by resizing the LUKS partition.

That way, tampering in a manner that WON'T cause the boot process to fail 
entirely becomes exceedingly difficult, and something with sufficient 
complexity to patch the kernel becomes prohibitive.

I used to use GRUB2's cryptdisk support for a while, and while it was tetchy 
to work with it does function - if one is familiar with GRUB2's scripting 
syntax, coreboot's (very) brief overview is sufficient:


More information about the dm-crypt mailing list