Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???

To: debian-user@lists.debian.org
Subject: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
From: Celejar <celejar@gmail.com>
Date: Sat, 29 Sep 2018 21:16:21 -0400
Message-id: <[🔎] 20180929211621.c062462c087ff77273a351a3@gmail.com>
In-reply-to: <[🔎] 8932a527-1286-e2cc-acf5-7972f0bfc803@affinityvision.com.au>
References: <[🔎] ca3cbcd6-a1d4-09d2-aff9-ad389884b3c8@plouf.fr.eu.org> <[🔎] lCK9MWRoxKTvcY-qN_89LgF4efdx7L7W4YiwFhE5aq2AwvWR95_-ztA7jhieunl2Lp0H-TYvMzDC04YeIklIPpT-B7gp-j-5UxwOcOtxzS0=@mattcrews.com> <[🔎] 2a2a59ac-2704-5a1f-1d8e-ef5f7cd86fc0@plouf.fr.eu.org> <[🔎] ffad641d-46b7-9378-77e8-cb399ac2e5a1@affinityvision.com.au> <[🔎] pnjupl$irj$1@blaine.gmane.org> <[🔎] 20180915223936.GI4569@bitfolk.com> <[🔎] f017f9d2-036f-3c7a-1ce5-cccdb13c3fdc@plouf.fr.eu.org> <[🔎] 20180919025753.GG4569@bitfolk.com> <[🔎] CAAKASGwKSWCJ4PEjB73+Yyrx_HEeU2z21yukUwbLAMFpv6v1GQ@mail.gmail.com> <[🔎] pogb4g$dug$1@blaine.gmane.org> <[🔎] 20180926171754.GA2820@chew.redmars.org> <[🔎] 8932a527-1286-e2cc-acf5-7972f0bfc803@affinityvision.com.au>

On Thu, 27 Sep 2018 17:54:26 +1000
Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:

...

> The biggest weakness with the Dropbear setup is that the initramfs is
> stored on an unencrypted partition (no matter which file system is
> used).  That means that someone with physical access can rebuild the
> initramfs and include their own key as well as other stuff to
> compromise the security of the server.
> 
> Aside from the fact that the IME is suspect, it would be great if grub
> can be, somehow, given a method that allows for full disk encryption
> which will include everything in /boot -- especially initramfs.

But grub itself and its configuration can't be encrypted, so an
attacker could still compromise that code / data. IIUC, your solution
basically just implies moving some of the logic currently in the
initramfs into grub.

One solution is to run grub from removable media, and preventing
attackers from getting physical access to it ...

Disclaimer: I'm no expert, and am just expressing my understanding of
the underlying unsolvable problem based on what I've read about it.

Celejar

Reply to:

Follow-Ups:
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>

References:
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Matthew Crews <mailinglists@mattcrews.com>
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Igor Cicimov <icicimov@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Where is xfce.org?
Next by Date: Re: Where is xfce.org?
Previous by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Next by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Index(es):
- Date
- Thread