-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04.09.2012 20:48, Michael Hampicke wrote: >> In theory grub2 is able to open a luks-encrypted volume though >> it seems to have some disadvantages: you'll need to enter the >> passphrase (or pass the keyfile) two times, because grub itself >> needs to decrypt the volume to get the later stages from the >> encrypted volume and afterwards the decryption in the bootprocess >> itself takes place. >> >> I can't give any real advice about it though, because I use an >> unencrypted boot partition. Depending on your needs it could be >> an increase of security, because you can stop an attacker from >> injecting malicious code into your kernel (or replace it >> completely). > > I don't think so, I still can replace your bootloader and grab > your password. If you really think you might need something like > this, I suggest you put your kernel and bootloader on a USB stick > and boot your machine from that. When not in use keep the stick on > your person. > > That still does not protect you from physically tempering with your > device. > > Anyway, what about one those fancy tin foil hats to protect > oneself against the governments mind control rays :) >
Ah yes - the aluminium foil deflector beanie (http://zapatopi.net/afdb/)... I just use it, when going out of my house or when updating my MindGuard (http://zapatopi.net/mindguard/) Enough fun - I just wanted to name the possibility because it's there and it would't require you to repartition your drive. I think it would be an increase in security nonetheless, though you're correct: there are a lot more possible attack vectors with side channel stuff getting very freaky indeed (i.e.: there is an interesting paper about using the gyroscopes of a mobile telephone to make a (>80%) correct guess about the pressed key) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQRl/GAAoJEJwwOFaNFkYcHbcH/i5ncHgButsE3ximu7Mdm113 ly0JVbINO4Bc7mkzj9eQAI8Ewr3JYhTpxpShfmWGGSBTTaAwltp1pYt+bj7xw3/E +euJGjfffmcxsBkLtlaI5SQHvO/fNiKZ8cAga++HXtxWoJ/DTN5UBEmzI6xXm3Tk RA6kGCDukiSpo4VjsfBMz1h8O9vtr2cgj4HlnOjNByzeSWk40XC9jKlSCLgjpkTp pJNvY0qHE7hMZoH+S9Ai3ZDtDgHpcdtSCslJGiOGh16BBzhOyunDdj1SVfkSq0bg 1vKnqT6zQS0vSl3JyoP9zc8MOW9/IwK2anKRHhE817Y9rXrawsx1QwPu6xVLxe0= =0NRV -----END PGP SIGNATURE-----
