The story started by reading this. But in my case this setup didn't work out because of the EFI partition. So here I'm writing to remember what I did.
First of all, the advantages of encrypting /boot partition are
- As Dusty mentioned there're some dangers to leaving the bootloader and ramdisks unencrypted.
- Also my original
/bootpartition had250MBwhich was not enough, but now it's not complaining anymore.
Second, what bothers me a little after this setup are
- I have to type my password twice on boot.
- After each update of kernel I have to run
grub-guide-install.shscript. If not I have to use Live CD and recovery.
I installed Fedora 27 and my configuration is as following.
[root@localhost ~]# lsblk -i -o NAME,TYPE,MOUNTPOINT
NAME TYPE MOUNTPOINT
sr0 rom
nvme0n1 disk
|-nvme0n1p1 part
|-nvme0n1p2 part /boot/efi
|-nvme0n1p3 part
| `-luks-8b85ea85-29fc-4eb0-a260-ea9e9ad05393 crypt /
|-nvme0n1p4 part
| `-luks-30be76a8-cddf-4682-9e3c-20e518c2d107 crypt /home
|-nvme0n1p5 part /opt
`-nvme0n1p6 part
`-luks-be8bc21c-685f-4c78-9fb6-8ba4a60d5ae8 crypt [SWAP]The partition nvme0n1p1 was the original /boot partition and I moved it to nvme0n1p3 partition as follow.
[root@localhost ~]# mount --bind / /mnt/
[root@localhost ~]# cp -a /boot/* /mnt/boot/
[root@localhost ~]# cp -a /boot/.vmlinuz-* /mnt/boot/
[root@localhost ~]# diff -ur /boot/ /mnt/boot/
[root@localhost ~]# umount /mntThen with Dusty's guide I had to be carfull to not removing /boot/efi partition from /etc/fstab, so I added
an spece in substitution clause.
[root@localhost ~]# umount /boot
[root@localhost ~]# sed -i -e '/\/boot /d' /etc/fstabAdding GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub file.
[root@localhost ~]# echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub
[root@localhost ~]# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rd.driver.blacklist=nouveau modprobe.blacklist=nouveau nvidia-drm.modeset=1 rd.luks.uuid=luks-8b85ea85-29fc-4eb0-a260-ea9e9ad05393 rd.luks.uuid=luks-be8bc21c-685f-4c78-9fb6-8ba4a60d5ae8 rhgb quiet rd.driver.blacklist=nouveau"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_CRYPTODISK=yHere we reach to grub-guide-install.sh script that I ran for the first setup and after every update of the kernel.
#!/bin/bash
dnf reinstall -y grub2-efi grub2-efi-modules shim
grub2-mkconfig -o /boot/grub2/grub.cfg
grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
grub2-install --efi-directory=/boot/efi /dev/nvme0n1And you're good to go.
To find this solution I have to use Live CD to recover my system by the following scripts. After booting to the Fedora Live CD
- Mount
nvme0n1p3. Because it's encrypted we have to use the following commands.
[root@localhost ~]# cryptsetup luksOpen /dev/nvme0n1p3 root
[root@localhost ~]# mount /dev/mapper/root /mnt- Connect to the internet because we want to use
dnflater. - Run
grub-guide-mount.shscript as follow.
#!/bin/bash
mount /dev/nvme0n1p2 /mnt/boot/efi
for i in /dev /dev/pts /proc /sys /run /sys/firmware/efi/efivars; do mount -B $i /mnt$i; done
cp /etc/resolv.conf /mnt/etc/resolv.conf
chroot /mnt
- Run
grub-guide-install.shscript. - Run
[root@localhost ~]# exit- Run
grub-guide-umount.shscript as follow.
#!/bin/bash
for i in /dev /proc /sys /run; do umount -l /mnt$i; done
umount -l /mnt/boot/efi- Run
[root@localhost ~]# shutdown -r nowAnd after rebooting, now you can see the grub boot menu.
Happy Encrypting!
Hadi