Creating a Boot Partition on RHEL 7 and 8

Important: Please refer to Creating a Boot Partition on the AWS Root Volume if the VM is in AWS and Creating a Boot Partition in Microsoft Azure if the VM is in Azure.

Entrust requires a separate boot partition in which the Entrust KeyControl Policy Agent can be installed. How you do this depends on the version of Linux running on the server. For your convenience, the following section explains how to set up a separate boot partition on RHEL 7.

Important: If /boot is already using a separate partition, do not follow this process. Instead, you should encrypt system devices using the existing /boot partition as described in Encrypting Linux System Devices.

In the following example, the current Linux is installed on device /dev/sda and the GRUB stage1 bootloader is also installed on /dev/sda. This is a typical Linux installation. In addition, we have a new device named /dev/sdb to hold the new boot partition, and we will create a partition on it using sfdisk.

Note: You can also use the fdisk or parted utilities to create an MBR partition on the disk /dev/sdb. The partition should be a DOS-compatible LINUX-type partition starting at sector 2048. The partition can cover the entire disk.

# sfdisk -f -uS -D /dev/sdb << EOF
2048,,83,*
EOF

# partprobe

Find out the space required by the /boot subtree:

# du -sh /boot

As a rule of thumb, the space provided for the new boot partition should be twice the space used by /boot plus 100MB. Format the new partition with ext4 (ext3 is also fine), as follows:

# mkfs.ext4 /dev/sdb1

Copy the files from the /boot directory to the new boot partition:

# mkdir -p /tmp/sdb1
# mount /dev/sdb1  /tmp/sdb1
# cp -a /boot/* /tmp/sdb1

Find the UUID of the new boot partition:

# blkid /dev/sdb1
# umount /tmp/sdb1

Add an entry to /etc/fstab to mount the new boot partition, as follows:

UUID=<uuid> /boot ext4 rw 0 0

Mount the /boot partition. 

# mount /boot

Re-install GRUB on the current boot device (GRUB files go to /boot which you mounted in the previous step). For example:

# grub2-install /dev/sda

Linux has a new BootLoaderSpec system which prevents "grub2-mkconfig" from auto-generating the boot loader config file. To prevent this, disable the BLS config by changing the following line in /etc/default/grub, before running grub2-mkconfig: 

GRUB_ENABLE_BLSCFG=true to GRUB_ENABLE_BLSCFG=false

Note that GRUB is being installed on /dev/sda but the boot directory comes from /dev/sdb1. Update your GRUB configuration to take this change into account:

# grub2-mkconfig -o /boot/grub2/grub.cfg

Your system is ready now, so reboot and confirm that all is well.

What to Do Next 

Verify the configuration as described in Verifying the Current VM Configuration and then encrypt the boot disk as described in Encrypting Linux System Devices.