Linux

10114 readers

938 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

Why call it full-disk encryption when the EFI partition has to be unencrypted? (programming.dev)

submitted 1 day ago by onlinepersona@programming.dev to c/linux@programming.dev

36 comments fedilink hide all child comments

Sounds like a misnomer to me.

you are viewing a single comment's thread
view the rest of the comments

[–] moonpiedumplings@programming.dev 1 points 1 day ago* (last edited 1 day ago) (1 children)

Share your lsblk output. It's likely that your system still leaves the bootloader unencrypted on the disk, even if the kernels and bootloader config are being encrypted (they aren't encrypted by default on most installs).

It is theoretically possible to have only one partition that is luks encrypted, but this requires you to store the bootloader in the UEFI, and not all motherboards support this, so distros usually just install it to an unencrypted partition. The UEFI needs to be able to read an unencrypted bootloader from somewhere. That's why it's somewhat absurd to claim that the ESP can be encrypted, because it simply can't.

From your link:

One difference is that the kernel and the initrd will be placed in the unencrypted ESP,

[–] BCsven@lemmy.ca 2 points 1 day ago

Yeah, I'm using a large font in reader mode and I think I had the word encrypted showing without un onscreen.

You are correct, it makes a custom binary in the fat partition that is verified by TPM for unlocking/proceeding, that binary then contains the other parts to move forward.