Re: GRUB open LUKS with image hdd ESXi. It is possible?

[Robin Schneider]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 14.06.2016 22:44, ??????? ??????? wrote:
> 
> Hello. Prompt please, whether it is possible to do using the grub? I copied
> the hdd in the partition command: "dd if=/dev/sdb of=/dev/sda2" Can grub
> open /dev/sda2 as a separate device with its partitions and transfer
> control back. For example how can "kpartx". The general problem is this: I
> want to make ESXi on LUKS encrypted partition. ESXi loader does not support
> luks-encrypted. So I want to keep installed ESXi on luks encrypted
> partition. I want to grub opened luks encrypted partition and boot ESXi
> from there. ESXi uses multiple partitions for their work. Tell me, is it
> possible? If it is possible that for this to be done? Thank you!


Hi.

I am not directly involved in the GRUB project but I think I might be able to
contribute something to your question.
About the first part. I have no idea if GRUB can natively handle a partition
which also starts with a partition table and use the inner partition. I guess
the easiest way to do this would be to just fake the outer partition to
include the partitions of /dev/sda2 or to specify the partition start and end
somehow.

Anyway. Your main question seems to be how to run ESXi (proprietary hypervisor
by VMware) and potentially the data stores of it (where VMs images are stored)
on a LUKS encrypted block device. To summarize, you intent to use GRUBs block
device encryption support to transparently handle the encryption/decryption of
/dev/sda2. As far as I understand it, GRUB would be able to decrypt/mount a
partition in /dev/sda2 and load (to RAM) what ever executable is laying around
there. The thing is that the next step would be to hand complete control over
to this loaded executable. At this point, GRUB is not running anymore and the
ESXi kernel will be booting on the machine. Then, ESXi will try to find it‘s
OS partition(s) (which will probably fail since it is encrypted).
So in short. What you have been asking is not possible with GRUB.
What might be possible in case you really want to use ESXi would be kind of
the [Blue Pill][1] approach. So you would start a small hypervisor before ESXi
which does the encryption/decryption and then in that hypervisor start ESXi as
its guest VM. I have never worked with nested virtualization but that could be
interesting to see if that would work.

Now, having all that said. I guess you just want a encrypted hypervisor plus
VMs. In that case just drop ESXi and use a hypervisor solution which supports
encryption out-of-the box. For example KVM with libvirt or Xen. In both cases,
you would be able to setup FDE easily.
You could also do the encryption in ESXi guests themselves. I am not sure but
maybe ESXi also supports some kind of encryption, at least I haven’t seen such
feature yet. But I am quite sure that would not include the complete system.

[1]: https://en.wikipedia.org/wiki/Blue_Pill_%28software%29

- -- 
Live long and prosper
Robin `ypid` Schneider
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXYZTIAAoJEIb9mAu/GkD4WAAQAIZCUVjKiZSgGgCrZZXq9rw2
3Y74+rq8iFTFl8rW5pXbMaG34h8/69MJBOZZnUt4QBVgNkE7bbYf9JxFjap/1PfR
UbmUr/KlTOX0xEpig7zJOXkyohykE0X++wp7aytTzICFeyaiD7y1Md0fthtBuS2r
gFXdFxy3t0FNHGuzGUzG8yG60HygL7lc/Wn+9hmqIIIInD3Nr3UxuXOMaC4thVSb
ulLR3wwNxO/rP2uctnOYV0XRfMUkNpA28Oy02Rlen27QN3eNz8XE4Wt6BJxYLW5a
FfwXiNUdNxazyUZc3t/eUSnsx7ukCbzR1oxCZrRWJr6MLcmPP/k+Qh4lKtp1qSet
9Uu6biqdidXrgo8v1V+nY4bU8goMl/R2QMQPNBB60A1fexoHBONdl9csAkMgWZyi
Yi/PsaNkq4Ah8yjpRo2FcFpKrM4lnZBeK4eWaeyV/gQ5i7GUodygEb7uEHSrRQJU
JXkViLt3X4s+01aocsg0SbRLAY5nwHo2tG3SVcaSCn46Y4996aKcuVD1dk7mjpxi
U5TjiWXROagC7b7y8psd4DseZSmu5ggo4bWqQdIijuNxRmjdBTXmLn6Expt+AogA
xl916DBVSevQsLQD8Cj9OXJxBbmzEq/G4MJ7fbaKRrRilzYiKcsH+iuR1QPYTR1J
Ajf7Vt8d0E59aXIfTazY
=nQSV
-----END PGP SIGNATURE-----