help-grub
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GRUB & crypto? (& generally, more info on undocumented modules?)


From: John Lane
Subject: Re: GRUB & crypto? (& generally, more info on undocumented modules?)
Date: Sun, 21 Dec 2014 13:46:05 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2

On 20/12/14 23:16, Diagon wrote:
>>> I use a keyfile to avoid the duplicate passphrase entry issue. The 
>>> keyfile is on the USB stick. It's also inside the initramfs so that the 
>>> booting kernel can also unlock the disk. It's safe because the initramfs 
>>> is on an encrypted volume.
> John - does this mean that in your case, you never have to enter a 
> passphrase?  That is, it appears the keyfile on the USB opens your /boot, and 
> then the keyfile in the initramfs opens your root.
that's right.
>
> I am a little leery of putting the keyfile on the USB.  So if I were to just 
> use: 
>
> insmod luks
> cryptomount -H (hd0,1)/header hd1,1
>
> along with the keyfile in the initramfs, then I would be asked for the 
> password only once, by grub, correct?
yes
>
> I'm not a guy who knows a lot about crypto, though I am aware that it can be 
> quite delicate.  So I do have to wonder about the safety of having the key 
> sitting around on disk (in the initramfs) while the OS is running.  Once 
> decrypted by cryptomount, is there any way to pass that key on to the kernel? 
>  Is this even feasible?
I don't believe it's possible for the bootloader to pass an encryption
key to the Linux kernel. I believe BSD lets you do that but not Linux.
Doing so would be the sensible approach and I would do it if I could...

You should chmod 600 your initrd in /boot and chown it to root if you
haven't done so already. I think any encryption scheme falls back to the
protection offered by the OS when it is unlocked. I guess your comfort
level falls in line with your paranoia level. I'm personally not at the
point where someone accessing a root-protected file on a running sytsem
is a major concern. If someone's in my running system I'd have bigger
things to worry about ;)
>  
>
> [...]
>
>> Whenever I update my OS, it installs new kernel and initramfs to /boot, 
>> totally oblivious to how those files 
>> get used.
> It may be me missing something, but it has appeared to me that at times the 
> Ubuntu updated has updated grub; though it's possible I could be mistaken.
it probably likes to regenerate grub.cfg whenever the kernel is updated
but Grub itself doesn't change that often. That said, I don't use
debian. I use Arch where you're more "on your own" anyway...
> /D
>





reply via email to

[Prev in Thread] Current Thread [Next in Thread]