Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???

To: debian-user@lists.debian.org
Subject: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
From: deloptes <deloptes@gmail.com>
Date: Sun, 30 Sep 2018 08:44:08 +0200
Message-id: <[🔎] popr6e$58v$2@blaine.gmane.org>
Reply-to: deloptes@gmail.com
References: <[🔎] ca3cbcd6-a1d4-09d2-aff9-ad389884b3c8@plouf.fr.eu.org> <[🔎] lCK9MWRoxKTvcY-qN_89LgF4efdx7L7W4YiwFhE5aq2AwvWR95_-ztA7jhieunl2Lp0H-TYvMzDC04YeIklIPpT-B7gp-j-5UxwOcOtxzS0=@mattcrews.com> <[🔎] 2a2a59ac-2704-5a1f-1d8e-ef5f7cd86fc0@plouf.fr.eu.org> <[🔎] ffad641d-46b7-9378-77e8-cb399ac2e5a1@affinityvision.com.au> <[🔎] pnjupl$irj$1@blaine.gmane.org> <[🔎] 20180915223936.GI4569@bitfolk.com> <[🔎] f017f9d2-036f-3c7a-1ce5-cccdb13c3fdc@plouf.fr.eu.org> <[🔎] 20180919025753.GG4569@bitfolk.com> <[🔎] CAAKASGwKSWCJ4PEjB73+Yyrx_HEeU2z21yukUwbLAMFpv6v1GQ@mail.gmail.com> <[🔎] pogb4g$dug$1@blaine.gmane.org> <[🔎] 20180926171754.GA2820@chew.redmars.org> <[🔎] 8932a527-1286-e2cc-acf5-7972f0bfc803@affinityvision.com.au> <[🔎] 20180929211621.c062462c087ff77273a351a3@gmail.com>

Celejar wrote:

> But grub itself and its configuration can't be encrypted, so an
> attacker could still compromise that code / data. IIUC, your solution
> basically just implies moving some of the logic currently in the
> initramfs into grub.
> 

Yes, this is the point I am making.

> One solution is to run grub from removable media, and preventing
> attackers from getting physical access to it ...
> 

But this does not apply for a server, where you do not have physical access,
however in this case it is also obvious that no one can easily access the
machine and alter anything on it, except it is stolen.

> Disclaimer: I'm no expert, and am just expressing my understanding of
> the underlying unsolvable problem based on what I've read about it.

so do I

Reply to:

Follow-Ups:
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

References:
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Matthew Crews <mailinglists@mattcrews.com>
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Igor Cicimov <icicimov@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Celejar <celejar@gmail.com>

Prev by Date: Re: Ghostscript produces much larger pdf files now
Next by Date: Re: Syncing GnuPG between 2 system
Previous by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Next by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Index(es):
- Date
- Thread