[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???

Andrew McGlashan wrote:

> The biggest weakness with the Dropbear setup is that the initramfs is
> stored on an unencrypted partition (no matter which file system is
> used).  That means that someone with physical access can rebuild the
> initramfs and include their own key as well as other stuff to
> compromise the security of the server.
Exactly what I was saying

> Aside from the fact that the IME is suspect, it would be great if grub
> can be, somehow, given a method that allows for full disk encryption
> which will include everything in /boot -- especially initramfs.

but it would also mean that it should be accessible over the internet,
because I do not see any other way to reach the server and decrypt.

> Even so, then grub might have another attack vector of itself.  But it
> would at least allow for encrypted /boot ...

Well but again we shift from the boot partition to grub - hense if
probability that one has physical access to the server can be ignored,
dropbear is still practical solution.


Reply to: