Comment 6 for bug 1766865
Revision history for this message
| bugproxy (bugproxy) wrote Comment bridged from LTC Bugzilla | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
------- Comment From <email address hidden> 2018-09-05 03:53 EDT-------
Addl. information
You cannot encrypt the boot partition. -- After all, there must be code to open an encrypted partition
You can encrypt the root partition
in order to do so the code in boot partition must open the boot partition
i.e., the initrd or initramfs contains code to issue the cryptsetup open/luksOpen commands for the root partition before the chroot command
with LUKS/LUKS2 you must provide a pass phrase - on PCs that is asked for interactively (possibly derived from the password) -- somehow Canonical does this with their Ubuntu distributions today
with protected keys crypto (PAES) - you need not protect a pass phrase. With dm-crypt plain mode you can use a secure key stored somewhere in the initrd/initramfs or with LUKS2 you can simply store the pass phrase in a file in the initrd/initramfs because the security of the disk key is protected by the HSM (CryptoExpress card) and does not depend on being wrapped by a secret pass phrase.
Note, before a system tries to use PAES it should verify that a CCA coprocessor (CEXnC adapter) is available.