Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???

To: debian-user@lists.debian.org
Subject: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
Date: Sun, 30 Sep 2018 20:03:41 +1000
Message-id: <[🔎] 3fa921b0-89ac-ac79-9bfd-c3b729026d98@affinityvision.com.au>
In-reply-to: <[🔎] popr6e$58v$2@blaine.gmane.org>
References: <[🔎] ca3cbcd6-a1d4-09d2-aff9-ad389884b3c8@plouf.fr.eu.org> <[🔎] lCK9MWRoxKTvcY-qN_89LgF4efdx7L7W4YiwFhE5aq2AwvWR95_-ztA7jhieunl2Lp0H-TYvMzDC04YeIklIPpT-B7gp-j-5UxwOcOtxzS0=@mattcrews.com> <[🔎] 2a2a59ac-2704-5a1f-1d8e-ef5f7cd86fc0@plouf.fr.eu.org> <[🔎] ffad641d-46b7-9378-77e8-cb399ac2e5a1@affinityvision.com.au> <[🔎] pnjupl$irj$1@blaine.gmane.org> <[🔎] 20180915223936.GI4569@bitfolk.com> <[🔎] f017f9d2-036f-3c7a-1ce5-cccdb13c3fdc@plouf.fr.eu.org> <[🔎] 20180919025753.GG4569@bitfolk.com> <[🔎] CAAKASGwKSWCJ4PEjB73+Yyrx_HEeU2z21yukUwbLAMFpv6v1GQ@mail.gmail.com> <[🔎] pogb4g$dug$1@blaine.gmane.org> <[🔎] 20180926171754.GA2820@chew.redmars.org> <[🔎] 8932a527-1286-e2cc-acf5-7972f0bfc803@affinityvision.com.au> <[🔎] 20180929211621.c062462c087ff77273a351a3@gmail.com> <[🔎] popr6e$58v$2@blaine.gmane.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 30/09/18 16:44, deloptes wrote:
> Celejar wrote:
> 
>> But grub itself and its configuration can't be encrypted, so an 
>> attacker could still compromise that code / data. IIUC, your
>> solution basically just implies moving some of the logic
>> currently in the initramfs into grub.
> 
> Yes, this is the point I am making.
> 
>> One solution is to run grub from removable media, and preventing 
>> attackers from getting physical access to it ...

You can sometimes do remote mounting in something like HP's iLO ....
you could mount a floppy or ISO image and boot it with the image only
being available from a client machine using iLo.  But it won't work
for machines without such capability.

Cheers
A.
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW7CfdgAKCRCoFmvLt+/i
+zdRAQDLYu/z/LeeYe0rEmjRhzOU/K9zFPOWiICf/1elYU1htQEAq8YIRVub6kjb
Kw142B0ig3S0CkEY39l4Jq0IRbipGlY=
=BYHj
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Celejar <celejar@gmail.com>

References:
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Matthew Crews <mailinglists@mattcrews.com>
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Igor Cicimov <icicimov@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Celejar <celejar@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>

Prev by Date: Re: Syncing GnuPG between 2 system
Next by Date: Re: Where is xfce.org?
Previous by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Next by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Index(es):
- Date
- Thread