Andrew McGlashan a écrit : > > On 21/11/2015 1:59 PM, David Christensen wrote: >> On 11/20/2015 01:04 AM, Pascal Hambourg wrote: >>> Anyone with physical access can do whatever they want. You can >>> set up restrictions in the BIOS or set restrictions in the boot >>> loader, but they still can take the disk out and read or modify >>> it with another machine. >>> >>> To protect against this you can use encryption or set up a >>> password on the disk (ATA security functions). Note that >>> encryption alone does not protect against tampering, as the boot >>> part cannot be encrypted. >> >> As I understand it, self-encrypting drives (SED) encrypt >> everything (including the boot partition). > > You can do full disk enccryption, but you are right that you need > something to "boot" ... my solution is to use dropbear which offers an > ssh login via an authorized key; once I'm logged in to that > mini-environment, I then unlock LUKS volumes and go forward from > there. Dropbear saves me from needing physical access to a keyboard > on the server and negates the need for BIOS involvement.
What problem does it solve exactly, besides the need of a keyboard ? I do not see how this "solution" protects against tampering of the unencrypted boot part.
