3

I wonder if it possible to encrypt an EFI system partition (ESP)?

I would like to set up a virtual machine (VirtualBox) using EFI as boot manager which is supported by the used OS (archlinux). Is there a way to encrypt the boot partition (ESP) using dm-crypt with LUKS? I would like to use systemd's boot loader to run the kernel without the need of something like grub.

Another thing: Does it make sense that the ESP partition should be encrypted due to the fact, that the loaded kernel might be signature checked?

maxik
  • 133
  • 2
  • 6

3 Answers3

6

As of right now there don't seem to be any firmware that support encrypted ESPs, but there is little need for that.

Secure boot takes care of checking the signature of whatever EFI application you're about to load, so bootkits/rootkits or malicious OSes are dealt with.

If you do actually have confidential data in the ESP your best bet is to put the confidential data in a separate, encrypted partition, and put some EFI application in the ESP that can understand and decrypt your encrypted partition. A small Linux or even GRUB which has basic support for LUKS.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • The extra paranoid might want to hide / make difficult to discover which bootloader they are using, as all software have bugs that might be exploitable. If the attacker could inspect the binary for version identifiers, it could aid them in finding a known exploit. – Huckle Feb 03 '18 at 20:04
1

ESP cannot be encrypted because firmware (UEFI) itself needs ability to read it. (efi bootloaders are just ordinary files stored in esp).

yyy
  • 159
  • 1
  • 5
0

You cannot encrypt the entire ESP partition because the bootloader is unable to unlock a dm-crypt container in order to continue the boot process.

You can secure the /boot partition using a GRUB encrypted partition because Grub have the ability to unlock a LUKS encrypted /boot

GAD3R
  • 2,211
  • 3
  • 15
  • 38