Long, long before Docker made containers the cool server application virtualization tool, Parallels was making container technology work for enterprises with the commercial Virtiozzo and the open-source OpenVZ project. Now Parallels will be adding native support for Docker as well to the next version of its Parallels Cloud Server.
From a lot of research, it seems to me that only Arch and other distros which use mkinitcpio--mostly its derivatives or super modular distros like Gentoo--support booting from an encrypted boot partition.
As far as I can understand, you need bootloader and initramfs support to boot from an encrypted partition on the same disk. GRUB supports encrypted boot, because it will embed itself the BIOS boot partition. I tested this out with Ubuntu once and booted the Ubuntu initramfs from an encrypted LVM over LUKS boot partition from GRUB.
However, the initramfs failed to boot the Ubuntu kernel, because, AFAIK, the Ubuntu initramfs doesn't support encrypted boot partitions. In fact, AFAIK, mkinitcpio is the only initramfs which does so. If you're curious, here's a blog post on how to set up full disk encryption on Arch.
Why is encrypted boot important? It prevents meaningful change to your boot partition.
When unencrypted, I can replace your kernel with another kernel that acts the same except that it also contains a keylogger that emails logs back to myself. Or a piece of code that steals your AES keys out of RAM.
When encrypted, I can still try to modify your boot partition, but my changes, when unencrypted, will not mean anything. All that will probably happen is your kernel will fail to boot in part or whole.
It seems like it shouldn't be too much work for other distros/ initramfs to support encrypted boot. Why does there seem to be no interest in doing so?submitted by fowlslegs
[link] [6 comments]