Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???

To: debian-user@lists.debian.org
Subject: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
From: deloptes <deloptes@gmail.com>
Date: Thu, 27 Sep 2018 17:32:10 +0200
Message-id: <[🔎] poit0m$vgo$1@blaine.gmane.org>
Reply-to: deloptes@gmail.com
References: <[🔎] ca3cbcd6-a1d4-09d2-aff9-ad389884b3c8@plouf.fr.eu.org> <[🔎] lCK9MWRoxKTvcY-qN_89LgF4efdx7L7W4YiwFhE5aq2AwvWR95_-ztA7jhieunl2Lp0H-TYvMzDC04YeIklIPpT-B7gp-j-5UxwOcOtxzS0=@mattcrews.com> <[🔎] 2a2a59ac-2704-5a1f-1d8e-ef5f7cd86fc0@plouf.fr.eu.org> <[🔎] ffad641d-46b7-9378-77e8-cb399ac2e5a1@affinityvision.com.au> <[🔎] pnjupl$irj$1@blaine.gmane.org> <[🔎] 20180915223936.GI4569@bitfolk.com> <[🔎] f017f9d2-036f-3c7a-1ce5-cccdb13c3fdc@plouf.fr.eu.org> <[🔎] 20180919025753.GG4569@bitfolk.com> <[🔎] CAAKASGwKSWCJ4PEjB73+Yyrx_HEeU2z21yukUwbLAMFpv6v1GQ@mail.gmail.com> <[🔎] pogb4g$dug$1@blaine.gmane.org> <[🔎] 20180926171754.GA2820@chew.redmars.org> <[🔎] 8932a527-1286-e2cc-acf5-7972f0bfc803@affinityvision.com.au>

Andrew McGlashan wrote:

> The biggest weakness with the Dropbear setup is that the initramfs is
> stored on an unencrypted partition (no matter which file system is
> used).  That means that someone with physical access can rebuild the
> initramfs and include their own key as well as other stuff to
> compromise the security of the server.
> 
Exactly what I was saying

> Aside from the fact that the IME is suspect, it would be great if grub
> can be, somehow, given a method that allows for full disk encryption
> which will include everything in /boot -- especially initramfs.
> 

but it would also mean that it should be accessible over the internet,
because I do not see any other way to reach the server and decrypt.

> Even so, then grub might have another attack vector of itself.  But it
> would at least allow for encrypted /boot ...

Well but again we shift from the boot partition to grub - hense if
probability that one has physical access to the server can be ignored,
dropbear is still practical solution.

regards

Reply to:

Follow-Ups:
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Igor Cicimov <icicimov@gmail.com>

References:
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Matthew Crews <mailinglists@mattcrews.com>
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Igor Cicimov <icicimov@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: question about ls
Next by Date: How to react on a factually wrong Debian wiki change ?
Previous by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Next by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Index(es):
- Date
- Thread