Moving the EFI and /boot partition

Question

In a UEFI system the grub bootloader is located on the EFI partition then a /boot is also needed to be present and unencrypted.

I have a Dual boot Linux / Windows hard drive where Windows is encrypted with veracrypt and Linux with the builtin dm-crypt. Is Veracrypt's bootloader along with an unecrypted Windows bootloader also located on the EFI?

I wanted to move the whole EFI partition and the /boot partition out of the hard drive to a usb device. Can I do it with a simple 'dd' command and then delete the efi and boot partitions on the drive? Will windows complain if I move this to a usb? There is also a Recovery partition with windows but I assume that I shouldn't worry about that. What do I get security-wise by performing this operation?

Answer 1

I'm not familiar with Veracrypt, but I would expect its core boot-related functionality would have to be stored somewhere unencrypted. The logical place for this would be the ESP, but it could be somewhere else, such as a dedicated partition or even some unencrypted portion of an NTFS partition.

Simply copying the ESP to another device will not work. The trouble is that, under EFI, a pointer to the boot loader exists in NVRAM, and so if you move the boot loader, that NVRAM entry will be rendered invalid and the system will be left unbootable. You'll need to update the NVRAM entry, create an entirely new NVRAM entry, or rely on the fallback filename (EFI/BOOT/bootx64.efi) for your primary boot loader to get the system to boot. You can update or create a new boot entry with a tool like efibootmgr in Linux, bcdedit in Windows, EasyUEFI in Windows, bcfg in an EFI shell, or the built-in boot management tools in some EFI implementations.

For more on EFI basics, I recommend you start with the following:

• Adam Williamson's blog entry on how EFI works -- This page describes the theory behind EFI-mode booting.
• A question and answers on the differences between BIOS and EFI booting on Superuser.com -- This provides the basics of the preceding, but is more concise.
• My page on EFI boot loaders for Linux -- This page describes EFI boot loader choices for Linux systems, including information on how to create NVRAM boot entries.

None of these pages directly address your encryption questions, but they should all help, to one extent or another, build your understanding of how the EFI boot process works. Such an understanding will help you deal with an advanced configuration such as what you're trying to create.