While you can encrypt every other partition on your system, the boot volume remains unencrypted, making it vulnerable to outside attacks. chkboot uses simple techniques to ensure that your boot volume is uncompromisable between reboots.
chkboot stores the sha256 checksum of every boot file and the MBR of the boot volume (if it exists) in an encrypted volume of the system. It then compares this data against the data generated in every boot. It maintains a log with timestamps (which helps in reviewing a system activity if required) as well as a temporary small list with files changed which is cleared on next boot after notifying the user of the changes.
- initcpio: If your system uses initcpio, add ‘chkboot’ to the end of your modules array to have chkboot run automatically when you upgrade Linux.
- systemd: If your system uses systemd, you should enable the chkboot service to have your boot partitioned checked every time your system boots.
Run the following commands to install chkboot on Ubuntu:
$ git clone https://github.com/grazzolini/chkboot $ cd chkboot $ sudo make install // install initcpio component $ sudo make install-initcpio // install systmd component $ sudo make install-systemd
/etc/default/chkboot.conf: chkboot configuration file. must be setup first. Examples availabel in the file.
chkboot: needs to be run as root to be effective. Generates sha256 checksum and compares against the previously generated data. Does the bookkeeping as well.
chkboot-check: can be run by any user who can view /var/lib/chkboot. Displays a warning and the list of changed files.
On GitHub: chkboot