Creating a Boot Partition on Ubuntu
Important: Please refer to Creating a Boot Partition on the AWS Root Volume if the VM is in AWS and Creating a Boot Partition in Microsoft Azure if the VM is in Azure.
Entrust requires a separate boot partition in which the Entrust KeyControl Policy Agent can be installed. How you do this depends on the version of Linux running on the server. For your convenience, the following section explains how to set up a separate boot partition on Ubuntu.
Important: If /boot is already using a separate partition, do not follow this process. Instead, you should encrypt system devices using the existing /boot partition as described in Encrypting Linux System Devices.
In the following example, the current Linux is installed on device /dev/sda and the GRUB stage1 bootloader is also installed on /dev/sda. This is a typical Linux installation. In addition, we have a new device named /dev/sdb to hold the new boot partition, and we will create a partition on it using sfdisk.
Note: You can also use the fdisk or parted utilities to create an MBR partition on the disk /dev/sdb. The partition should be a DOS-compatible LINUX-type partition starting at sector 2048. The partition can cover the entire disk.
# sfdisk -f -uS /dev/sdb << EOF 2048,,83,* EOF # partprobe
If the /boot/efi directory is present, then unmount /boot/efi.
# umount /boot/efi
Note: This directory is present when you are using UEFI boot.
Find out the space required by the /boot subtree:
# du -sh /boot
As a rule of thumb, the space provided for the new boot partition should be twice the space used by /boot plus 100MB. Format the new partition with ext4 (ext3 is also fine), as follows:
# mkfs.ext4 /dev/sdb1
Copy the files from the /boot directory to the new boot partition:
# mkdir -p /tmp/sdb1 # mount /dev/sdb1 /tmp/sdb1 # cp -a /boot/* /tmp/sdb1
Get the UUID of the new boot partition:
# blkid /dev/sdb1 # umount /tmp/sdb1
Add an entry to /etc/fstab to mount the new boot partition:
UUID=<uuid> /boot ext4 rw 0 0
Important: The /boot/efi partition is different from the /boot partition. The former is used by EFI boot system. Do not remove or comment out the /boot/efi entry from /etc/fstab when you are adding an entry for /boot.
Mount the new /boot partition. For example:
# mount /boot
If you are using UEFI, then /etc/fstab will have an entry for /boot/efi. In this case, you must also mount /boot/efi:
# mount /boot/efi
Install GRUB with boot files on the new boot partition, while the GRUB stage1 is copied to the current boot device, as follows:
# grub-install /dev/sda
Note that GRUB is being installed on /dev/sda but the boot directory comes from /dev/sdb1. Update your GRUB configuration to take this change into account:
# grub-mkconfig -o /boot/grub/grub.cfg
Your system is ready now, so reboot and confirm that all is well.
What to Do Next
Verify the configuration as described in Verifying the Current VM Configuration and then encrypt the boot disk as described in Encrypting Linux System Devices.
