If the netboot stuff is ever redone, we should look into using dm-verity on the root partition and signing the kernel. Both of those require a custom iPXE build. By signing everything, it's perfectly safe to use any mirror or protocol. dm-verity is probably a good idea to include even in the LiveUSB/CD. The CoreOS team has a lot of neat stuff done with dm-verity if you want to take a look. https://github.com/coreos/scripts/blob/master/build_library/grub_install.sh GRUB2 is used as a "shim" for dm-verity support. There's no option (that I know of) to use PGP with dm-verity. The netboot process would look like this: iPXE (unsigned BIOS or signed EFI using X.509) -> GRUB2 (signed BIOS or EFI using X.509) -> Kernel (signed using PGP) Or iPXE (unsigned BIOS or signed EFI using X.509) -> GRUB2 (signed BIOS or EFI using X.509) -> Kernel and / (signed with X.509)