[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858009: Debian "Full Disk Encryption" is a misnomer, /boot not encrypted, Evil Maid attacks, enable grub cryptodisk, improve guided encrypted partitioning

Package: debian-installer
Version: stretch-rc2

The Debian Stretch RC2 installer and previous versions do not allow Full Disk Encryption since /boot is more vulnerable to Evil Maid attacks due to it being unencrypted. Securing /boot makes Evil Maid attacks slightly more difficult, raising the cost / time for an adversary with physical access.

I suggest looking at prior bugs from over a year ago suggesting how to start fixing this by enabling the cryptodisk option for grub, then modifying the debian-installer flows to automatically partition using a base encrypted volume for which all other partitions / LVM2 groups sit atop of, including /boot. This would hopefully replace the current and slightly more insecure "Guided - Use Entire Disk and Set Up Encrypted LVM..." option.


Tested Debian Stretch RC2 and prior versions.

Reply to: