Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
-----BEGIN PGP SIGNED MESSAGE-----
On 30/09/18 16:44, deloptes wrote:
> Celejar wrote:
>> But grub itself and its configuration can't be encrypted, so an
>> attacker could still compromise that code / data. IIUC, your
>> solution basically just implies moving some of the logic
>> currently in the initramfs into grub.
> Yes, this is the point I am making.
>> One solution is to run grub from removable media, and preventing
>> attackers from getting physical access to it ...
You can sometimes do remote mounting in something like HP's iLO ....
you could mount a floppy or ISO image and boot it with the image only
being available from a client machine using iLo. But it won't work
for machines without such capability.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----