[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unencrypted boot with encrypted root
From: |
pelzflorian (Florian Pelz) |
Subject: |
Re: Unencrypted boot with encrypted root |
Date: |
Fri, 3 Apr 2020 21:44:23 +0200 |
On Fri, Apr 03, 2020 at 05:44:13PM +0200, Ellen Papsch wrote:
> To make it harder, we leave /boot encrypted. Now the attacker plants
> their malware further down the stack: they replace the BIOS. Boom, you
> are owned! :-)
So using a single encrypted partition instead of separate /boot
protects from script kiddies (siblings/“friends”?) with hardware
access that know how to put their own grub.cfg on an unencrypted /boot
partition and then wait for you to unsuspectingly use your machine.
But it would still be possible for an attacker to flash or replace the
motherboard’s UEFI, or perhaps the part of GRUB installed on the
unaltered motherboard would willingly load a manipulated hard disk?
Or just install a keylogger.
So using the same boot partition as is done currently has
Pro: script kiddie protection
Con: passphrase must be entered twice; also entering the passphrase in
GRUB may use the wrong keyboard layout
Regards,
Florian
- Unencrypted boot with encrypted root, Pierre Neidhardt, 2020/04/02
- Re: Unencrypted boot with encrypted root,
pelzflorian (Florian Pelz) <=
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/04
- Re: Unencrypted boot with encrypted root, pelzflorian (Florian Pelz), 2020/04/04
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/06
- Re: Unencrypted boot with encrypted root, Ludovic Courtès, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ludovic Courtès, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/08
- Re: Unencrypted boot with encrypted root, Alex Griffin, 2020/04/07
- Re: Unencrypted boot with encrypted root, Vagrant Cascadian, 2020/04/07
- Re: Unencrypted boot with encrypted root, Ellen Papsch, 2020/04/08