[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Full disk-encryption question



On 23 Oct 2023 13:59 +0200, from mm@dorfdsl.de (Marco M.):
> Be aware that the boot loader and the /boot aren't encrypted by default
> and they can be attacked (e.g. simply place a tainted kernel inside) by
> anybody who has access to the harddisk.

Encrypted /boot has been supported with GRUB 2 for a while. That
leaves only a minimal portion of GRUB in plaintext on storage.

There's probably a way to use Secure Boot with custom signing keys to
make tampering with the part of GRUB which must be readable to unlock
the container for /boot very difficult without having access to the
booted system.

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”


Reply to: