Gentoo Archives: gentoo-hardened

From: Marcel Meyer <meyerm@××××××.de>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Setting up a (more) secure notebook
Date: Wed, 18 Nov 2009 00:00:53
Message-Id: 200911180020.13232.meyerm@fs.tum.de
1 Hi,
2
3 I'm currently setting up a notebook, which will contain sensitive data. I want
4 to fully encrypt the whole harddrive with luks using a keyfile encrypted with
5 gnupg.
6
7 Since I have to leave the notebook sometimes in possible "unsecure" places,
8 all the boot-stuff (kernel, boot-loader, initramfs, keyfile) is placed on a
9 small USB key at my keychain. Basically that's an outsourced /boot.
10
11 Now I'd like to try to use the usb-key just as a generic loader for an already
12 encrypted kernel on the harddrive. The kernel/initramfs of the USB key loads
13 the LUKS-partition and instead of booting this system with the already loaded
14 kernel from the USB key it should replace the running kernel with another one
15 incl. initramfs from the harddrive using kexec from the encrypted partition.
16
17 Basically I have this setup running. One problem is, I'd have to compile
18 kexec-tools with a non-hardened toolchain. (see bug #183062)
19
20 But now I'm wondering what security implications I get by doing it this way.
21 What for problems do you see by doing it this way? Would it be a better idea
22 to just forget about that stuff and stay with an external /boot.
23
24 Thanks!
25 Marcel

Replies

Subject Author
Re: [gentoo-hardened] Setting up a (more) secure notebook schism@×××××××××.org