Full-Disk Encryption LUKS and MBR

Hi, Nathan,

  1. when I do a Full-Disk Encryption of my Linux OS with LUKS, does that also encrypt the MBR?

  2. What if I also encrypt the Linux boot partition with LUKS, does that encrypt the MBR too?

  3. Does EFI Secure Boot have anything to do with encrypted MBR?

Cheers,

Dan
  1. Your MBR can only be encrypted when you’re using Hardware-based full disk encryption (FDE) technology. You should have a compatible HDD/SDD that supports this.

  2. If you have a dual boot which I suppose you have when talking about Linux boot partition and MBR, you cannot encrypt the master boot record (MBR), or similar area of a bootable disk, or any code that starts the operating system loading sequence. This can only be encrypted if you have compatible HDD/SDD. If you have that then do check if you can use LUKS to encrypt it or not. If not then try some other software.

  3. No, EFI Secure Boot and encrypted MBR are not related. Secure Boot only prevents attacks at the pre-boot phase which includes, system-embedded firmware loading and initialization and the start of the OS loading.