Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
On Sun, 30 Sep 2018 20:03:41 +1000
Andrew McGlashan <firstname.lastname@example.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On 30/09/18 16:44, deloptes wrote:
> > Celejar wrote:
> >> But grub itself and its configuration can't be encrypted, so an
> >> attacker could still compromise that code / data. IIUC, your
> >> solution basically just implies moving some of the logic
> >> currently in the initramfs into grub.
> > Yes, this is the point I am making.
> >> One solution is to run grub from removable media, and preventing
> >> attackers from getting physical access to it ...
> You can sometimes do remote mounting in something like HP's iLO ....
> you could mount a floppy or ISO image and boot it with the image only
> being available from a client machine using iLo. But it won't work
> for machines without such capability.
I actually do the equivalent using Dell's iDrac - I configure it
(together with the machine's BIOS) to make the system console available
over ssh (using iDrac ssh credentials), and then use that console to
provide the credentials to unlock the system disk. IIUC, the security of
this is equivalent to your method.