Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
> But grub itself and its configuration can't be encrypted, so an
> attacker could still compromise that code / data. IIUC, your solution
> basically just implies moving some of the logic currently in the
> initramfs into grub.
Yes, this is the point I am making.
> One solution is to run grub from removable media, and preventing
> attackers from getting physical access to it ...
But this does not apply for a server, where you do not have physical access,
however in this case it is also obvious that no one can easily access the
machine and alter anything on it, except it is stolen.
> Disclaimer: I'm no expert, and am just expressing my understanding of
> the underlying unsolvable problem based on what I've read about it.
so do I