Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Andrew McGlashan wrote:
> The biggest weakness with the Dropbear setup is that the initramfs is
> stored on an unencrypted partition (no matter which file system is
> used). That means that someone with physical access can rebuild the
> initramfs and include their own key as well as other stuff to
> compromise the security of the server.
Exactly what I was saying
> Aside from the fact that the IME is suspect, it would be great if grub
> can be, somehow, given a method that allows for full disk encryption
> which will include everything in /boot -- especially initramfs.
but it would also mean that it should be accessible over the internet,
because I do not see any other way to reach the server and decrypt.
> Even so, then grub might have another attack vector of itself. But it
> would at least allow for encrypted /boot ...
Well but again we shift from the boot partition to grub - hense if
probability that one has physical access to the server can be ignored,
dropbear is still practical solution.