Encrypted /boot in Debian Buster

Goals & Prerequisites

The goal is to have a fully encrypted Linux root partition, including /boot. Then, hopefully, enabling secure boot.

Use UEFI, have a EFI system partition, as Grub will be stored on it.

Installing

Use the normal Debian installer, but it will fail when trying to install grub.

To fix the problem:

• switch to a console VT
• edit /target/etc/default/grub with nano
• add GRUB_ENABLE_CRYPTODISK=y
• retry Grub installation

Now grub should support crypto disks and install correctly

Caveats

• Grub keymap at boot is US by default, pay attention when typing the passphrase…
• cryptsetup default interation count for the master key is waaaay too high for Grub’s libgcrypt default compilation, it can takes up to 10s to verify the passphrase. Use cryptsetup’s --iter-time to setup a low amount of iterations and use a stonger passphrase :)

TODO

• Try to have a French keymap at boot, should be doable with grub-mkstandalone
• Try to check if grub can work with performance compilation options