Linux boot loaders supporting full disk encryption?

I think the current version of GRUB2 does not have support for loading and decrypting LUKS partitions by itself (it contains some ciphers but I think they are used only for its password support). I cannot check the experimental development branch, but there are some hints in the GRUB page that some work is planned to implement what you want to do.

Update (2015): the latest version of GRUB2 (2.00) already includes code to access LUKS and GELI encrypted partitions. (The xercestch.com link the OP provided mention the first patches for that, but they are now integrated in the latest release).

However, if you are trying to encrypt the whole disk for security reasons, please note that an unencrypted boot loader (like TrueCrypt, BitLocker or a modified GRUB) offers no more protection than an unencrypted /boot partition (as noted by JV in a comment above). Anybody with physical access to the computer can just as easily replace it with a custom version. That is even mentioned in the article at xercestech.com you linked:

To be clear, this does not in any way make your system less vulnerable to offline attack, if an attacker were to replace your bootloader with their own, or redirect the boot process to boot their own code, your system can still be compromised.

Note that all software-based products for full disk encryption have this weakness, no matter if they use an unencrypted boot loader or an unencrypted boot/preboot partition. Even products with support for TPM (Trusted Platform Module) chips, like BitLocker, can be rooted without modifying the hardware.

A better approach would be to:

  1. decrypt at the BIOS level (in motherboard or disk adapter or external hardware [smartcard], with or without a TPM chip), or
  2. carry the PBA (preboot authorization) code (the /boot partition in this case) in a removable device (like a smartcard or an USB stick).

To do it the second way, you can check the Linux Full Disk Encryption (LFDE) project at: http://lfde.org/ which provides a post-install script to move the /boot partition to an external USB drive, encrypting the key with GPG and storing it in the USB too. In that way, the weaker part of the boot pathway (the non-encrypted /boot partition) is always with you (you will be the only one with physical access to the decrypting code AND the key). (Note: this site has been lost and the author's blog also disappeared, however you can find the old files at https://github.com/mv-code/lfde just note the last development was done 6 years ago). As a lighter alternative, you can install the unencrypted boot partition in an USB stick while installing your OS.

Regards, MV


Make your Initial RAMdisk, and /boot folder not use encryption.

This will bring up a "minimal" kernel, with drivers and support to switch to the "actual" root filesystem which is encrypted.

Before you claim "this is a hack" - remember - most (if not all) Linux distros boot this way today by default. This explicitly allows your system to boot and load your root FS, using modules that it needs to load from a filesystem. (Sort of a chicken-and-egg problem). Like for example, if your root filesystem was on a hardware RAID volume, and you needed to load it's driver before you could mount your root FS.


I reviewed the link you posted - although there is no boot partition, there is still an unencrypted boot loader on the hard disk which could be accessed and compromised using an evil maid attack. I've been looking into a similar setup, in which there is no unencrypted data on the hard disk, but so far I've only come up with running a boot loader from a removable drive.