LUKS - How can / be encrypted but /boot and /boot/efi are not?

Question

This is more of a educational and curiosity question, rather than tying to fix a problem. I have an Ubuntu system using LUKS. lsblk shows this:

Noteably, / is encrypted but /boot and /boot/efi are not. This is important because LUKS needs /boot to be unencrypted in order to boot GRUB.

But... / contains /boot. So it seems that if / is encrypted, that would force /boot to be too. After all, how would you know where on disk /boot starts, since /'s pointer to /boot is encrypted? (i assume)

Thank you!

G-Man Says 'Reinstate Monica' · Accepted Answer · 2024-05-23 20:48:44Z

5

The devices (partitions) that / and /boot reside on are different, and one can be encrypted while the other is not. GRUB knows how to find /boot by using something like set root=(hd0,1) or search --hint=... as defined in grub.cfg.

Since GRUB can handle booting into multiple OS's installed simultaneously, the / file system (or C:) cannot be used to locate /boot unambiguously.

edited May 23, 2024 at 20:48

G-Man Says 'Reinstate Monica'

24k29 gold badges76 silver badges130 bronze badges

answered May 23, 2024 at 17:45

doneal24

5,9432 gold badges21 silver badges42 bronze badges

I see, thank you! Do you know anywhere I could read up on how the devices that these two directories reside on might be different? I think it's interesting that a directory's direct child might be on a different device.

SuperDialga
– SuperDialga

2024-05-23 17:54:11 +00:00
Commented May 23, 2024 at 17:54
1

/boot can be encrypted too at least in Debian, I successfully tried it.

schrodingerscatcuriosity
– schrodingerscatcuriosity

2024-05-23 18:16:11 +00:00
Commented May 23, 2024 at 18:16
@SuperDialga Using multiple devices has been around for decades. Perhaps wikipedia would be a good start?

doneal24
– doneal24

2024-05-23 18:19:42 +00:00
Commented May 23, 2024 at 18:19
@schrodingerscatcuriosity You still can't encrypt /boot/efi but enabling secure boot (if possible with your distribution) will make it reasonably safe.

doneal24
– doneal24

2024-05-23 18:27:02 +00:00
Commented May 23, 2024 at 18:27
@SuperDialga that's because unlike in Windows, in *nix, we can only have devices mounted as subdirectories of /. Then obviously if / itself is the boot device's root partition, any other device would be mounted under /. The same logic applies to separate ESP and Boot partitions.

Blacklight MG
– Blacklight MG

2025-05-19 03:51:44 +00:00
Commented May 19 at 3:51

Add a comment |

Stack Exchange Network

LUKS - How can / be encrypted but /boot and /boot/efi are not?

1 Answer 1

You must log in to answer this question.

Hot Network Questions

LUKS - How can / be encrypted but /boot and /boot/efi are not?

1 Answer 1

You must log in to answer this question.

Related

Hot Network Questions