Celejar schreef:
Bother to explain how it works? If you have an encrypted partition, no adapted kernel will ever be able to access it. So how can an adapted kernel report the passphrase?On Wed, 26 Jan 2011 23:24:07 +0100 Jochen Schulz <ml@well-adjusted.de> wrote:Celejar:Brad Alexander <storm16@gmail.com> wrote:Linux admins used LUKS, and as a further step, I put /boot (the only partition that cannot be encrypted) on a USB stick, so that if anyone got the laptop, they had no access to the data.Why does putting /boot on a USB stick gain you anything?Because an unencrypted /boot may be altered by an attacker without you noticing it. Theoretically, the kernel may be replaced by another one that reports your passphrase to the attacker.Oh, basically the Evil Maid attack. Fair enough. But then you have to make sure the attacker can't flash the BIOS ...
Or do you mean that the kernel can be altered to log the passphrase somewhere? This then is a way more general problem, as physical access to the computer will always allow someone to install a sniffing hardware or software device.
Sjoerd
Attachment:
signature.asc
Description: OpenPGP digital signature