Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
On Thu, 27 Sep 2018 17:54:26 +1000
Andrew McGlashan <email@example.com> wrote:
> The biggest weakness with the Dropbear setup is that the initramfs is
> stored on an unencrypted partition (no matter which file system is
> used). That means that someone with physical access can rebuild the
> initramfs and include their own key as well as other stuff to
> compromise the security of the server.
> Aside from the fact that the IME is suspect, it would be great if grub
> can be, somehow, given a method that allows for full disk encryption
> which will include everything in /boot -- especially initramfs.
But grub itself and its configuration can't be encrypted, so an
attacker could still compromise that code / data. IIUC, your solution
basically just implies moving some of the logic currently in the
initramfs into grub.
One solution is to run grub from removable media, and preventing
attackers from getting physical access to it ...
Disclaimer: I'm no expert, and am just expressing my understanding of
the underlying unsolvable problem based on what I've read about it.