Dual boot with encrypted partition
An EFI boot manager utility
Status: Beta
Brought to you by:
srs5694
Menu
▾
▴
Hi!
First of all awesome work on rEFInd, thank you!
I wonder if you could point in the right direction (all I found was an old post here). I had a straightforward configuration:
sda1 - ESP EFI Partition
sda2 - Windows 10
sda3 - empty
I tried to install Debian on LUKS encrypted sda3. So I created in the debian installer an encrypted sda3 partition, used this partition for a Volume Group with root, home and swap logical volumes - everything worked fine. My idea was NOT to touch sda1 here, but boot into live debian, then decrypt sda3 with "cryptsetup luksOpen" (worked fine), chroot into this Debian on sda3 and then mount sda1 into /mnt/boot/efi. After that install rEFInd as chroot.
This is what I did and it worked fine (according to the terminal output). The rEFInd menu looked indeed good after a restart, except there is only a Windows entry. Is there maybe a way to make this configuration work with rEFInd?
It sounds like your entire Debian installation, including the kernel, is encrypted. rEFInd does not directly support encryption; you'll need either an unencrypted partition to hold your kernels and initrd files or an EFI driver that supports the decryption tool you're using. AFAIK, the latter does not exist, so really, you need an unencrypted partition for the kernels. In some cases, you can put your kernel(s) on the ESP; however, the ESP is often too small for this, and using it in this way can be awkward. It's usually better to have a separate unencrypted
/bootpartition.Thank you for the quick response. I suspect that's exactly the issue here. However it's not that there is encrypted boot, but there is no boot partition for Debian at all.
It was my dilemma during the install: If I choose sda1 as boot partition for the linux system and reformat it, I'll lose the Windows EFI configuration on that partition.
This is why I did not touch sda1, but I was trying to find a way to install the necessary files on that unencrypted partition afterwards (from the live system as chroot), so that it'll boot the encrypted system on sda3. I'll try some solutions, e.g. making a backup of sda1 (EFI), install Debian as sda1 unencrypted /boot sda1, save the files from here, recover sda1 (EFI) and add the files necessary for starting Debian. After that installing rEFInd. I'm not sure it'll work, I'll leave a feedback.
If you're willing to re-install, or to back up, re-partition, and restore, then the easiest solution is to create a separate
/bootpartition. In Debian,/bootcontains no sensitive files. (In theory, an attacker could learn some things about the installation, such as that it's a Debian system, but that's pretty unavoidable if you're using rEFInd to load the kernel.) You can also create a separate/bootpartition without re-installing by shrinking an existing partition and putting/bootin the freed space.Putting the kernel on the ESP is another option, but it's got serious drawbacks. In brief, you'd need to either:
/lib/modules. You could also set up a startup script, shutdown script, cron job, or something similar to monitor the files and copy them as necessary. Arch Linux users developed systemd configurations to do this, but I don't have pointers offhand, and I don't know how well this solution would work in Debian./bootrather than at/boot/efi. This will cause kernels to be placed automatically in the root directory of the ESP. The trouble is that Debian packages create symbolic links when doing some (but not all) kernel updates, so you might run into problems because FAT doesn't support symbolic links. (I used this configuration on an Ubuntu system for a while and had problems with maybe 1 in 4 kernel updates. I don't know how often Debian would run into this issue.)In both of these cases, there's also the potential for problems if the ESP is too small to hold the kernels and initrd files. I don't know what Debian's default is, but my impression is that the default
/bootsize in most distributions these days is 512-1024 MiB, whereas ESPs are usually at the low end of that range or below it.Thank you for the hints and showing in the right direction.
As you suggested I created a separate /boot partition for Debian and installed the system as before. Now I have one more (/boot) partition and after the install a nice Grub menu with all the entries (also Windows) greeted me. I figured I would have made it troublesome for the future without any crucial benefits if I put the debian /boot files on the ESP partition.
Anyone wondering, here is how I did it:
1. First created a full hdd backup of the system (I used the built in Windows tool).
2. Installed Minitool Partition Wizard (I used it many times for partitioning, great tool).
3. There were some "DIAG" and "Winretools" partitions, which I deleted. Only sda1 ESP partition and sda2 Windows OS partition were left.
4. Created a 1 GB (actually 512 MB are also enough) partition after sda1, which I used later as /boot partition for Debian.
5. Did shrink the Windows partition in order to create free space for a partition to install debian.
6. When the partitioning was done, I had sda1 ESP partition, sda2 1 GB unformatted partition, sda 3 Windows (ntfs) partition and sda4 unformatted partition (with 60 GB free space for Debian).
7. dd-d the debian live iso on an USB stick (tried the live system first), booted into the Debian graphical install, opted for "Manual" there.
8. Formatted the 1 GB sda2 as ext3 and used it (mount point) as /boot.
9. Used the free 60 GB unformatted partition as partition for encryption (which means it has to be formatted first as encrypted partition with a passphrase).
10. When the encryption of the partition was done, created a Logical Volume Group on the whole encrypted partition.
11. On the Logical Volume Group created three Logical Volumes: 15 GB Root, 39 GB Home and 6 GB Swap.
12. Format Root as ext4 mount point as /, Home as ext4 and mount point /Home and the Swap partition obviously as swap.
13. After this configuration finished partitioning and installed the system.
After booting into Debian rEFInd can be installed as well. Now I'm thinking about making this dual boot system into a triple boot with Windows, Debian and Android. So I think I'll try to figure out how to install an Android system on the machine.
There is one thing I forgot to add: The above setup works fine, however if it's about a tablet or convertible machine, it won't be possible to use the LUKS passphrase in tablet mode without a physical keyboard, because there is no onscreen keyboard at that stage of the boot process.
There might be a solution for this issue on linux but did not find one yet.