Re: Full disk-encryption question

To: debian-user@lists.debian.org
Subject: Re: Full disk-encryption question
From: Michael Kjörling <2695bd53d63c@ewoof.net>
Date: Mon, 23 Oct 2023 12:04:35 +0000
Message-id: <[🔎] 95984be0-a75f-4d03-8c1a-9ac2a87175f7@home.arpa>
In-reply-to: <[🔎] 20231023135948.4ca155c9@ryz.home.arpa>
References: <[🔎] 7cd8f8b4-aeca-4463-96bd-2c8eb62a728f@gazeta.pl> <[🔎] 20231023135948.4ca155c9@ryz.home.arpa>

On 23 Oct 2023 13:59 +0200, from mm@dorfdsl.de (Marco M.):
> Be aware that the boot loader and the /boot aren't encrypted by default
> and they can be attacked (e.g. simply place a tainted kernel inside) by
> anybody who has access to the harddisk.

Encrypted /boot has been supported with GRUB 2 for a while. That
leaves only a minimal portion of GRUB in plaintext on storage.

There's probably a way to use Secure Boot with custom signing keys to
make tampering with the part of GRUB which must be readable to unlock
the container for /boot very difficult without having access to the
booted system.

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Reply to:

Follow-Ups:
- Re: Full disk-encryption question
  - From: "Marco M." <mm@dorfdsl.de>

References:
- Full disk-encryption question
  - From: lester29 <lester29@gazeta.pl>
- Re: Full disk-encryption question
  - From: "Marco M." <mm@dorfdsl.de>

Prev by Date: Re: Full disk-encryption question
Next by Date: Re: Full disk-encryption question
Previous by thread: Re: Full disk-encryption question
Next by thread: Re: Full disk-encryption question
Index(es):
- Date
- Thread