axet
26th July 2012, 06:53 AM
currently fedora does not allow you to encrypt whole disk. it will left /boot unencrypted.
here is a patches which allows full disk encryption and allows grub to boot from this partition.
http://lists.gnu.org/archive/html/grub-devel/2011-04/msg00148.html
i hope fedora people aslo improve this solution adding passing luks password to the kernel.
here is obivous advantages :
1) preventing compromited kernel images to store your decryption password somehere
2) only 1 partition (/) instead of 2 (/boot, /)
3) efi boot machines with signature check should only check grub! and not the kernel it self (solves fedora kernel signing issue)
here is a patches which allows full disk encryption and allows grub to boot from this partition.
http://lists.gnu.org/archive/html/grub-devel/2011-04/msg00148.html
i hope fedora people aslo improve this solution adding passing luks password to the kernel.
here is obivous advantages :
1) preventing compromited kernel images to store your decryption password somehere
2) only 1 partition (/) instead of 2 (/boot, /)
3) efi boot machines with signature check should only check grub! and not the kernel it self (solves fedora kernel signing issue)
