Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???

To: debian-user@lists.debian.org
Subject: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
From: Celejar <celejar@gmail.com>
Date: Sun, 30 Sep 2018 17:30:33 -0400
Message-id: <[🔎] 20180930173033.6877139b4f1dba213f94d96e@gmail.com>
In-reply-to: <[🔎] 3fa921b0-89ac-ac79-9bfd-c3b729026d98@affinityvision.com.au>
References: <[🔎] ca3cbcd6-a1d4-09d2-aff9-ad389884b3c8@plouf.fr.eu.org> <[🔎] lCK9MWRoxKTvcY-qN_89LgF4efdx7L7W4YiwFhE5aq2AwvWR95_-ztA7jhieunl2Lp0H-TYvMzDC04YeIklIPpT-B7gp-j-5UxwOcOtxzS0=@mattcrews.com> <[🔎] 2a2a59ac-2704-5a1f-1d8e-ef5f7cd86fc0@plouf.fr.eu.org> <[🔎] ffad641d-46b7-9378-77e8-cb399ac2e5a1@affinityvision.com.au> <[🔎] pnjupl$irj$1@blaine.gmane.org> <[🔎] 20180915223936.GI4569@bitfolk.com> <[🔎] f017f9d2-036f-3c7a-1ce5-cccdb13c3fdc@plouf.fr.eu.org> <[🔎] 20180919025753.GG4569@bitfolk.com> <[🔎] CAAKASGwKSWCJ4PEjB73+Yyrx_HEeU2z21yukUwbLAMFpv6v1GQ@mail.gmail.com> <[🔎] pogb4g$dug$1@blaine.gmane.org> <[🔎] 20180926171754.GA2820@chew.redmars.org> <[🔎] 8932a527-1286-e2cc-acf5-7972f0bfc803@affinityvision.com.au> <[🔎] 20180929211621.c062462c087ff77273a351a3@gmail.com> <[🔎] popr6e$58v$2@blaine.gmane.org> <[🔎] 3fa921b0-89ac-ac79-9bfd-c3b729026d98@affinityvision.com.au>

On Sun, 30 Sep 2018 20:03:41 +1000
Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hi,
> 
> On 30/09/18 16:44, deloptes wrote:
> > Celejar wrote:
> > 
> >> But grub itself and its configuration can't be encrypted, so an 
> >> attacker could still compromise that code / data. IIUC, your
> >> solution basically just implies moving some of the logic
> >> currently in the initramfs into grub.
> > 
> > Yes, this is the point I am making.
> > 
> >> One solution is to run grub from removable media, and preventing 
> >> attackers from getting physical access to it ...
> 
> You can sometimes do remote mounting in something like HP's iLO ....
> you could mount a floppy or ISO image and boot it with the image only
> being available from a client machine using iLo.  But it won't work
> for machines without such capability.

I actually do the equivalent using Dell's iDrac - I configure it
(together with the machine's BIOS) to make the system console available
over ssh (using iDrac ssh credentials), and then use that console to
provide the credentials to unlock the system disk. IIUC, the security of
this is equivalent to your method.

Celejar

Reply to:

References:
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Matthew Crews <mailinglists@mattcrews.com>
- Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andy Smith <andy@strugglers.net>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Igor Cicimov <icicimov@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Celejar <celejar@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: deloptes <deloptes@gmail.com>
- Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: Scribus has stopped importing PDF files - repost - original thread was hijacked
Previous by thread: Re: Decrypting LUKS from initramfs; was: Re: ext2 for /boot ???
Next by thread: Re: ext2 for /boot ???
Index(es):
- Date
- Thread