[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unencrypted boot with encrypted root
From: |
Pierre Neidhardt |
Subject: |
Re: Unencrypted boot with encrypted root |
Date: |
Fri, 03 Apr 2020 18:13:01 +0200 |
Ellen Papsch <address@hidden> writes:
> leaving /boot unencrypted allows attackers to plant malware relatively
> easy. They can mount the partition without ado and replace the kernel
> with a malicious one.
How can you do that if the root partition is encrypted?
> On a more serious note and to answer your question, unencrypted /boot
> is an option. Another is to have a key file on an external medium. This
> doesn't avoid the second wait. The long wait may be due to --iter-time
> option to cryptsetup luksFormat. I haven't looked what the default is
> in Guix. The Grub decryption code is also purported to be slow [no
> source].
Thanks for the hint, I'll look into it.
> For a long time I personally used root encrypted systems and found the
> hassle not worth it. Encrypting /home and external hard drives should
> cut it. If you suspect the machine has been tampered with, don't boot
> don't touch it. Even the hard disk firmware may have been modified.
My main motivation is that if my laptop gets stolen or lost, I don't want
anyone to access my personal data.
Encrypted /home is fine for this purpose.
By the way, is it possible to use the user password to unlock the $HOME
partition?
> Don't think you are in danger of being targeted? Well, you already are!
> Your mail often gets into my spam folder because of "suspicious TLD
> .xyz". That should be very telling ;-))
Yup, this has been a hassle for a while... :(
--
Pierre Neidhardt
https://ambrevar.xyz/
signature.asc
Description: PGP signature
- Unencrypted boot with encrypted root, Pierre Neidhardt, 2020/04/02
- Re: Unencrypted boot with encrypted root, pelzflorian (Florian Pelz), 2020/04/03
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/04
- Re: Unencrypted boot with encrypted root, pelzflorian (Florian Pelz), 2020/04/04
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/06
- Re: Unencrypted boot with encrypted root, Ludovic Courtès, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ludovic Courtès, 2020/04/07