separation of chapters

- signed-off-by: trimstray <trimstray@gmail.com>
2025-12-06 17:22:51 +01:00 · 2019-02-19 00:07:20 +01:00
parent 1daeeac29c
commit 3f199216fc
5 changed files with 348 additions and 347 deletions
--- a/README.md
+++ b/README.md
@@ -162,358 +162,11 @@ Before add pull request please see **[this](CONTRIBUTING.md)**.
 ## Pre install tasks
 ### Hard disk encryption
 #### :information_source: Introduction
 Disk encryption is focused on securing physical access, while relying on other parts of the system to provide things like network security and user-based access control.
 Most of the Linux distributions will allow you to encrypt your disks before installation.
 If you use an alternative installation method (e.g. from `debootstrap`) you can create an [encrypted disk manually](#disk-partitions).
 Before this you should to answer the following questions:
 - What part of filesystem do you want to encrypt?
  * only user data
  * user data and system data
 - How should `swap`, `/tmp` and other be taken care of?
  * disable or mount as ramdisk
  * encrypt (separately of as part of full)
 - How should encrypted parts of the disk be unlocked?
  * passphrase
  * key file
 - When should encrypted parts of the disk be unlocked?
  * before boot process
  * during boot process
  * mixed above or manually
 [Source](https://uchicago.service-now.com/it?id=kb_article&kb=KB06000398)
 #### :eight_pointed_black_star: Encrypt root filesystem
 Unlocked during boot, using passphrases or USB stick with keyfiles.
 #### :eight_pointed_black_star: Encrypt /boot partition
 - encrypting the whole disk without `/boot` partition but keeping it on a flash drive you carry at all times
 - using a checksum value of the boot sector
 - boot partition to detect it and change you passphrase
 This may not completely get rid of the attack vector described in this post as there is still part of the bootloader that isn't encrypted, but at least the grub stage2 and the kernel/ramdisk are encrypted and should make it much harder to attack.
 In addition, the `/boot` partition may be a weak point if you use encryption methods for the rest of the disk.
 Historically it has been necessary to leave `/boot` unencrypted because bootloaders didn't support decrypting block devices. However, there are some dangers to leaving the bootloader and ramdisks unencrypted.
 Before this you should to answer the following questions:
 - Where your `/boot` partition is stored?
  * the same place where stored `/`
  * separately partition
  * external flash drive
 The following recipe should be made after installing the system (however, these steps are included in this section to avoid mixing issues).
 [Source](https://security.stackexchange.com/questions/166075/encrypting-the-boot-partition-in-a-linux-system-can-protect-from-an-evil-maid-a)
 ###### Create copy of your /boot
 ```bash
 mkdir /mnt/boot
 mount --bind / /mnt/boot
 rsync -aAXv /boot/ /mnt/boot/
 umount /mnt/boot
 ```
 ###### Removed old /boot partition
 ```bash
 umount /boot
 sed -i -e '/\/boot/d' /etc/fstab
 ```
 ###### Regenerate grub configuration
 ```bash
 # Debian like distributions
 grub-mkconfig > /boot/grub/grub.cfg
 # RedHat like distributions
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 ###### Enable `GRUB_ENABLE_CRYPTODISK` param
 ```bash
 echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub
 ```
 ###### Reinstall grub
 ```bash
 # Debian like distributions
 grub-install /dev/sda
 # RedHat like distributions
 grub2-install /dev/sda
 ```
  > More details can be found here (Bootloader configuration (grub) section):
  > - [Lock the boot directory](#eight_pointed_black_star-lock-the-boot-directory)
 #### :eight_pointed_black_star: Swap partition
 - swap area is not required to survive a reboot, therefore a new random encryption key can be chosen each time the swap area is activated
 - get the key from `/dev/urandom` because `/dev/random` maybe stalling your boot sequence
 #### :ballot_box_with_check: Summary checklist
 | <b>Item</b> | <b>True</b> | <b>False</b> |
 | :---        | :---:       | :---:        |
 | Encrypting the whole disk | :black_square_button: | :black_square_button: |
 | Usage passphrase or key file to disk unlocked | :black_square_button: | :black_square_button: |
 | Choosing a strong passphrase | :black_square_button: | :black_square_button: |
 | Encrypting the `/boot` partition | :black_square_button: | :black_square_button: |
 | Securing swap partition with `/dev/urandom` | :black_square_button: | :black_square_button: |
 | `swap` or `tmp` using an automatically generated per-session throwaway key | :black_square_button: | :black_square_button: |
 ## Post install tasks
 ### Bootloader configuration (grub)
 #### :information_source: Introduction
 Protection for the boot loader can prevent unauthorized users who have physical access to systems, e.g. attaining root privileges through single user mode.
 Basically when you want to prohibit unauthorized reconfiguring of your system, otherwise anybody could load anything on it.
 #### :eight_pointed_black_star: Protect bootloader with password
 You can set password for the bootloader for prevents users from entering single user mode, changing settings at boot time, access to the bootloader console, reset the root password, if there is no password for GRUB-menu or access to non-secure operating systems.
 ###### Generate password hash
 ```bash
 # Debian like distributions
 grub-mkpasswd-pbkdf2
 # RedHat like distributions
 grub2-mkpasswd-pbkdf2
 ```
 ###### Updated grub configuration
 ```bash
 cat > /etc/grub.d/01_hash << __EOF__
 set superusers="user"
 password_pbkdf2 user
 grub.pbkdf2.sha512.<hash> # rest of your password hash
 __EOF__
 ```
 And regenerate grub configuration:
 ```bash
 # Debian like distributions
 grub-mkconfig > /boot/grub/grub.cfg
 # RedHat like distributions
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 #### :eight_pointed_black_star: Protect bootloader config files
 Set the owner and group of `/etc/grub.conf` to the root user:
 ```bash
 chown root:root /etc/grub.conf
 ```
 or
 ```bash
 chown -R root:root /etc/grub.d
 ```
 Set permission on the `/etc/grub.conf` or `/etc/grub.d` file to read and write for root only:
 ```bash
 chmod og-rwx /etc/grub.conf
 ```
 or
 ```bash
 chmod -R og-rwx /etc/grub.d
 ```
 #### :ballot_box_with_check: Summary checklist
 | <b>Item</b> | <b>True</b> | <b>False</b> |
 | :---        | :---:       | :---:        |
 | Set password for the bootloader | :black_square_button: | :black_square_button: |
 ### Disk partitions
 #### :information_source: Introduction
 Critical file systems should be separated into different partitions in ways that make your system a better and more secure.
 #### :eight_pointed_black_star: Separate disk partitions
 Make sure the following filesystems are mounted on separate partitions:
 - `/boot`
 - `/tmp`
 - `/var`
 - `/var/log`
 Additionally, depending on the purpose of the server, you should consider separating the following partitions:
 - `/usr`
 - `/home`
 - `/var/www`
 You should also consider separating these partitions:
 - `/var/tmp`
 - `/var/log/audit`
 #### :eight_pointed_black_star: Mount options: nodev, nosuid and noexec
 For more security-focused situations is as follows:
 - `nodev` - specifies that the filesystem cannot contain special devices: This is a security precaution. You don't want a user world-accessible filesystem like this to have the potential for the creation of character devices or access to random device hardware
 - `nosuid` - specifies that the filesystem cannot contain set userid files. Preventing setuid binaries on a world-writable filesystem makes sense because there's a risk of root escalation or other awfulness there
 - `noexec` - this param might be useful for a partition that contains no binaries, like **/var**, or contains binaries you do not want to execute on your system (from partitions with `noexec`), or that cannot even be executed on your system
 #### :eight_pointed_black_star: Secure /boot directory
 The boot directory contains important files related to the Linux kernel, so you need to make sure that this directory is locked down to read-only permissions.
 Add **ro** option and `nodev`, `nosuid` and `noexec` to `/etc/fstab` for **/boot** entry:
 ```bash
 LABEL=/boot  /boot  ext2  defaults,ro,nodev,nosuid,noexec  1 2
 ```
  > When updating the kernel you will have to move the flag to `rw`:
  > ```bash
  > mount -o remount,defaults,rw /boot
  > ```
 #### :eight_pointed_black_star: Secure /tmp and /var/tmp
 On Linux systems, the **/tmp** and **/var/tmp** locations are world-writable.
 Several daemons/applications use the **/tmp** or **/var/tmp** directories to temporarily store data, log information, or to share information between their sub-components. However, due to the shared nature of these directories, several attacks are possible, including:
 - Leaks of confidential data via secrets in file names
 - Race-condition attacks (TOCTOU) on the integrity of processes and data
 - Denial-of-Service (DoS) attacks based on race conditions and pre-allocating file/directory names
 As a rule of thumb, malicious applications usually write to **/tmp** and then attempt to run whatever was written. A way to prevent this is to mount **/tmp** on a separate partition with the options `nodev`, `nosuid` and `noexec` enabled.
 This will deny binary execution from **/tmp**, disable any binary to be suid root, and disable any block devices from being created.
 **The first possible scenario is create symlink**
 ```bash
 mv /var/tmp /var/tmp.old
 ln -s /tmp /var/tmp
 cp -prf /var/tmp.old/* /tmp && rm -fr /var/tmp.old
 ```
 and set properly mount params:
 ```bash
 UUID=<...>  /tmp  ext4  defaults,nodev,nosuid,noexec  1 2
 ```
 **The second scenario is a bind mount**
 The storage location **/var/tmp** should be bind mounted to **/tmp**, as having multiple locations for temporary storage is not required:
 ```bash
 /tmp  /var/tmp  none  rw,nodev,nosuid,noexec,bind  0 0
 ```
 **The third scenario is setting up polyinstantiated directories**
 Create new directories:
 ```bash
 mkdir --mode 000 /tmp-inst
 mkdir --mode 000 /var/tmp/tmp-inst
 ```
 Edit `/etc/security/namespace.conf`:
 ```bash
 /tmp      /tmp-inst/          level  root,adm
 /var/tmp  /var/tmp/tmp-inst/  level  root,adm
 ```
 Set correct **SELinux** context:
 ```bash
 setsebool polyinstantiation_enabled=1
 chcon --reference=/tmp /tmp-inst
 chcon --reference=/var/tmp/ /var/tmp/tmp-inst
 ```
 And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`.
  > Alternative for **polyinstantiated directories** is **PrivateTmp** feature available from **systemd**. For more information please see: [New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243).
 #### :eight_pointed_black_star: Secure /dev/shm
 `/dev/shm` is a temporary file storage filesystem, i.e. **tmpfs**, that uses RAM for the backing store. One of the major security issue with the `/dev/shm` is anyone can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition. Further the size should be limited to avoid an attacker filling up this mountpoint to the point where applications could be affected. (normally it allows 20% or more of RAM to be used). The sticky bit should be set like for any world writeable directory.
 For applies to shared memory `/dev/shm` mount params:
 ```bash
 tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
 ```
  > You can also create a group named 'shm' and put application users for SHM-using applications in there. Then the access can be completely be restricted as such:
 ```bash
 tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0
 ```
 #### :eight_pointed_black_star: Secure /proc filesystem
 The proc pseudo-filesystem `/proc` should be mounted with `hidepid`. When setting `hidepid` to **2**, directories entries in `/proc` will hidden.
 ```bash
 proc  /proc  proc  defaults,hidepid=2  0 0
 ```
  > Some of the services/programs operate incorrectly when the `hidepid` parameter is set, e.g. Nagios checks.
 #### :eight_pointed_black_star: Swap partition
 #### :eight_pointed_black_star: Disk quotas
 #### :ballot_box_with_check: Summary checklist
 | <b>Item</b> | <b>True</b> | <b>False</b> |
 | :---        | :---:       | :---:        |
 | Separate base partition scheme: `/boot`, `/tmp`, `/var`, `/var/log` | :black_square_button: | :black_square_button: |
 | Separate `/usr` partition | :black_square_button: | :black_square_button: |
 | Separate `/home` partition | :black_square_button: | :black_square_button: |
 | Separate `/var/www` partition | :black_square_button: | :black_square_button: |
 | Separate `/var/tmp` partition | :black_square_button: | :black_square_button: |
 | Separate `/var/audit` partition | :black_square_button: | :black_square_button: |
 | Secure `/boot` directory with `ro`, `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
 | Secure `/tmp` and `/var/tmp` directory with `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
 | Create symlink for `/var/tmp` in `/tmp` | :black_square_button: | :black_square_button: |
 | Setting up bind-mount `/var/tmp` to `/tmp` | :black_square_button: | :black_square_button: |
 | Setting up polyinstantiated directories for `/tmp` and `/var/tmp` | :black_square_button: | :black_square_button: |
 | Secure `/dev/shm` directory with `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
 | Secure `/proc` filesystem with `hidepid=2` option | :black_square_button: | :black_square_button: |
 ## Services
--- a/lib/.gitkeep
+++ b/lib/.gitkeep
--- a/lib/chapters/post_install_tasks/bootloader_configuration.md
+++ b/lib/chapters/post_install_tasks/bootloader_configuration.md
@@ -0,0 +1,73 @@
 ### Bootloader configuration (grub)
 #### :information_source: Introduction
 Protection for the boot loader can prevent unauthorized users who have physical access to systems, e.g. attaining root privileges through single user mode.
 Basically when you want to prohibit unauthorized reconfiguring of your system, otherwise anybody could load anything on it.
 #### :eight_pointed_black_star: Protect bootloader with password
 You can set password for the bootloader for prevents users from entering single user mode, changing settings at boot time, access to the bootloader console, reset the root password, if there is no password for GRUB-menu or access to non-secure operating systems.
 ###### Generate password hash
 ```bash
 # Debian like distributions
 grub-mkpasswd-pbkdf2
 # RedHat like distributions
 grub2-mkpasswd-pbkdf2
 ```
 ###### Updated grub configuration
 ```bash
 cat > /etc/grub.d/01_hash << __EOF__
 set superusers="user"
 password_pbkdf2 user
 grub.pbkdf2.sha512.<hash> # rest of your password hash
 __EOF__
 ```
 And regenerate grub configuration:
 ```bash
 # Debian like distributions
 grub-mkconfig > /boot/grub/grub.cfg
 # RedHat like distributions
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 #### :eight_pointed_black_star: Protect bootloader config files
 Set the owner and group of `/etc/grub.conf` to the root user:
 ```bash
 chown root:root /etc/grub.conf
 ```
 or
 ```bash
 chown -R root:root /etc/grub.d
 ```
 Set permission on the `/etc/grub.conf` or `/etc/grub.d` file to read and write for root only:
 ```bash
 chmod og-rwx /etc/grub.conf
 ```
 or
 ```bash
 chmod -R og-rwx /etc/grub.d
 ```
 #### :ballot_box_with_check: Summary checklist
 | <b>Item</b> | <b>True</b> | <b>False</b> |
 | :---        | :---:       | :---:        |
 | Set password for the bootloader | :black_square_button: | :black_square_button: |
--- a/lib/chapters/post_install_tasks/disk_partitions.md
+++ b/lib/chapters/post_install_tasks/disk_partitions.md
@@ -0,0 +1,160 @@
 ### Disk partitions
 #### :information_source: Introduction
 Critical file systems should be separated into different partitions in ways that make your system a better and more secure.
 #### :eight_pointed_black_star: Separate disk partitions
 Make sure the following filesystems are mounted on separate partitions:
 - `/boot`
 - `/tmp`
 - `/var`
 - `/var/log`
 Additionally, depending on the purpose of the server, you should consider separating the following partitions:
 - `/usr`
 - `/home`
 - `/var/www`
 You should also consider separating these partitions:
 - `/var/tmp`
 - `/var/log/audit`
 #### :eight_pointed_black_star: Mount options: nodev, nosuid and noexec
 For more security-focused situations is as follows:
 - `nodev` - specifies that the filesystem cannot contain special devices: This is a security precaution. You don't want a user world-accessible filesystem like this to have the potential for the creation of character devices or access to random device hardware
 - `nosuid` - specifies that the filesystem cannot contain set userid files. Preventing setuid binaries on a world-writable filesystem makes sense because there's a risk of root escalation or other awfulness there
 - `noexec` - this param might be useful for a partition that contains no binaries, like **/var**, or contains binaries you do not want to execute on your system (from partitions with `noexec`), or that cannot even be executed on your system
 #### :eight_pointed_black_star: Secure /boot directory
 The boot directory contains important files related to the Linux kernel, so you need to make sure that this directory is locked down to read-only permissions.
 Add **ro** option and `nodev`, `nosuid` and `noexec` to `/etc/fstab` for **/boot** entry:
 ```bash
 LABEL=/boot  /boot  ext2  defaults,ro,nodev,nosuid,noexec  1 2
 ```
  > When updating the kernel you will have to move the flag to `rw`:
  > ```bash
  > mount -o remount,defaults,rw /boot
  > ```
 #### :eight_pointed_black_star: Secure /tmp and /var/tmp
 On Linux systems, the **/tmp** and **/var/tmp** locations are world-writable.
 Several daemons/applications use the **/tmp** or **/var/tmp** directories to temporarily store data, log information, or to share information between their sub-components. However, due to the shared nature of these directories, several attacks are possible, including:
 - Leaks of confidential data via secrets in file names
 - Race-condition attacks (TOCTOU) on the integrity of processes and data
 - Denial-of-Service (DoS) attacks based on race conditions and pre-allocating file/directory names
 As a rule of thumb, malicious applications usually write to **/tmp** and then attempt to run whatever was written. A way to prevent this is to mount **/tmp** on a separate partition with the options `nodev`, `nosuid` and `noexec` enabled.
 This will deny binary execution from **/tmp**, disable any binary to be suid root, and disable any block devices from being created.
 **The first possible scenario is create symlink**
 ```bash
 mv /var/tmp /var/tmp.old
 ln -s /tmp /var/tmp
 cp -prf /var/tmp.old/* /tmp && rm -fr /var/tmp.old
 ```
 and set properly mount params:
 ```bash
 UUID=<...>  /tmp  ext4  defaults,nodev,nosuid,noexec  1 2
 ```
 **The second scenario is a bind mount**
 The storage location **/var/tmp** should be bind mounted to **/tmp**, as having multiple locations for temporary storage is not required:
 ```bash
 /tmp  /var/tmp  none  rw,nodev,nosuid,noexec,bind  0 0
 ```
 **The third scenario is setting up polyinstantiated directories**
 Create new directories:
 ```bash
 mkdir --mode 000 /tmp-inst
 mkdir --mode 000 /var/tmp/tmp-inst
 ```
 Edit `/etc/security/namespace.conf`:
 ```bash
 /tmp      /tmp-inst/          level  root,adm
 /var/tmp  /var/tmp/tmp-inst/  level  root,adm
 ```
 Set correct **SELinux** context:
 ```bash
 setsebool polyinstantiation_enabled=1
 chcon --reference=/tmp /tmp-inst
 chcon --reference=/var/tmp/ /var/tmp/tmp-inst
 ```
 And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`.
  > Alternative for **polyinstantiated directories** is **PrivateTmp** feature available from **systemd**. For more information please see: [New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243).
 #### :eight_pointed_black_star: Secure /dev/shm
 `/dev/shm` is a temporary file storage filesystem, i.e. **tmpfs**, that uses RAM for the backing store. One of the major security issue with the `/dev/shm` is anyone can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition. Further the size should be limited to avoid an attacker filling up this mountpoint to the point where applications could be affected. (normally it allows 20% or more of RAM to be used). The sticky bit should be set like for any world writeable directory.
 For applies to shared memory `/dev/shm` mount params:
 ```bash
 tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0
 ```
  > You can also create a group named 'shm' and put application users for SHM-using applications in there. Then the access can be completely be restricted as such:
 ```bash
 tmpfs  /dev/shm  tmpfs  rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0
 ```
 #### :eight_pointed_black_star: Secure /proc filesystem
 The proc pseudo-filesystem `/proc` should be mounted with `hidepid`. When setting `hidepid` to **2**, directories entries in `/proc` will hidden.
 ```bash
 proc  /proc  proc  defaults,hidepid=2  0 0
 ```
  > Some of the services/programs operate incorrectly when the `hidepid` parameter is set, e.g. Nagios checks.
 #### :eight_pointed_black_star: Swap partition
 #### :eight_pointed_black_star: Disk quotas
 #### :ballot_box_with_check: Summary checklist
 | <b>Item</b> | <b>True</b> | <b>False</b> |
 | :---        | :---:       | :---:        |
 | Separate base partition scheme: `/boot`, `/tmp`, `/var`, `/var/log` | :black_square_button: | :black_square_button: |
 | Separate `/usr` partition | :black_square_button: | :black_square_button: |
 | Separate `/home` partition | :black_square_button: | :black_square_button: |
 | Separate `/var/www` partition | :black_square_button: | :black_square_button: |
 | Separate `/var/tmp` partition | :black_square_button: | :black_square_button: |
 | Separate `/var/audit` partition | :black_square_button: | :black_square_button: |
 | Secure `/boot` directory with `ro`, `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
 | Secure `/tmp` and `/var/tmp` directory with `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
 | Create symlink for `/var/tmp` in `/tmp` | :black_square_button: | :black_square_button: |
 | Setting up bind-mount `/var/tmp` to `/tmp` | :black_square_button: | :black_square_button: |
 | Setting up polyinstantiated directories for `/tmp` and `/var/tmp` | :black_square_button: | :black_square_button: |
 | Secure `/dev/shm` directory with `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: |
 | Secure `/proc` filesystem with `hidepid=2` option | :black_square_button: | :black_square_button: |
--- a/lib/chapters/pre_install_tasks/hard_disk_encryption.md
+++ b/lib/chapters/pre_install_tasks/hard_disk_encryption.md
@@ -0,0 +1,115 @@
 ### Hard disk encryption
 #### :information_source: Introduction
 Disk encryption is focused on securing physical access, while relying on other parts of the system to provide things like network security and user-based access control.
 Most of the Linux distributions will allow you to encrypt your disks before installation.
 If you use an alternative installation method (e.g. from `debootstrap`) you can create an [encrypted disk manually](#disk-partitions).
 Before this you should to answer the following questions:
 - What part of filesystem do you want to encrypt?
  * only user data
  * user data and system data
 - How should `swap`, `/tmp` and other be taken care of?
  * disable or mount as ramdisk
  * encrypt (separately of as part of full)
 - How should encrypted parts of the disk be unlocked?
  * passphrase
  * key file
 - When should encrypted parts of the disk be unlocked?
  * before boot process
  * during boot process
  * mixed above or manually
 [Source](https://uchicago.service-now.com/it?id=kb_article&kb=KB06000398)
 #### :eight_pointed_black_star: Encrypt root filesystem
 Unlocked during boot, using passphrases or USB stick with keyfiles.
 #### :eight_pointed_black_star: Encrypt /boot partition
 - encrypting the whole disk without `/boot` partition but keeping it on a flash drive you carry at all times
 - using a checksum value of the boot sector
 - boot partition to detect it and change you passphrase
 This may not completely get rid of the attack vector described in this post as there is still part of the bootloader that isn't encrypted, but at least the grub stage2 and the kernel/ramdisk are encrypted and should make it much harder to attack.
 In addition, the `/boot` partition may be a weak point if you use encryption methods for the rest of the disk.
 Historically it has been necessary to leave `/boot` unencrypted because bootloaders didn't support decrypting block devices. However, there are some dangers to leaving the bootloader and ramdisks unencrypted.
 Before this you should to answer the following questions:
 - Where your `/boot` partition is stored?
  * the same place where stored `/`
  * separately partition
  * external flash drive
 The following recipe should be made after installing the system (however, these steps are included in this section to avoid mixing issues).
 [Source](https://security.stackexchange.com/questions/166075/encrypting-the-boot-partition-in-a-linux-system-can-protect-from-an-evil-maid-a)
 ###### Create copy of your /boot
 ```bash
 mkdir /mnt/boot
 mount --bind / /mnt/boot
 rsync -aAXv /boot/ /mnt/boot/
 umount /mnt/boot
 ```
 ###### Removed old /boot partition
 ```bash
 umount /boot
 sed -i -e '/\/boot/d' /etc/fstab
 ```
 ###### Regenerate grub configuration
 ```bash
 # Debian like distributions
 grub-mkconfig > /boot/grub/grub.cfg
 # RedHat like distributions
 grub2-mkconfig > /boot/grub2/grub.cfg
 ```
 ###### Enable `GRUB_ENABLE_CRYPTODISK` param
 ```bash
 echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub
 ```
 ###### Reinstall grub
 ```bash
 # Debian like distributions
 grub-install /dev/sda
 # RedHat like distributions
 grub2-install /dev/sda
 ```
  > More details can be found here (Bootloader configuration (grub) section):
  > - [Lock the boot directory](#eight_pointed_black_star-lock-the-boot-directory)
 #### :eight_pointed_black_star: Swap partition
 - swap area is not required to survive a reboot, therefore a new random encryption key can be chosen each time the swap area is activated
 - get the key from `/dev/urandom` because `/dev/random` maybe stalling your boot sequence
 #### :ballot_box_with_check: Summary checklist
 | <b>Item</b> | <b>True</b> | <b>False</b> |
 | :---        | :---:       | :---:        |
 | Encrypting the whole disk | :black_square_button: | :black_square_button: |
 | Usage passphrase or key file to disk unlocked | :black_square_button: | :black_square_button: |
 | Choosing a strong passphrase | :black_square_button: | :black_square_button: |
 | Encrypting the `/boot` partition | :black_square_button: | :black_square_button: |
 | Securing swap partition with `/dev/urandom` | :black_square_button: | :black_square_button: |
 | `swap` or `tmp` using an automatically generated per-session throwaway key | :black_square_button: | :black_square_button: |