1 |
Hi, |
2 |
|
3 |
I'm currently setting up a notebook, which will contain sensitive data. I want |
4 |
to fully encrypt the whole harddrive with luks using a keyfile encrypted with |
5 |
gnupg. |
6 |
|
7 |
Since I have to leave the notebook sometimes in possible "unsecure" places, |
8 |
all the boot-stuff (kernel, boot-loader, initramfs, keyfile) is placed on a |
9 |
small USB key at my keychain. Basically that's an outsourced /boot. |
10 |
|
11 |
Now I'd like to try to use the usb-key just as a generic loader for an already |
12 |
encrypted kernel on the harddrive. The kernel/initramfs of the USB key loads |
13 |
the LUKS-partition and instead of booting this system with the already loaded |
14 |
kernel from the USB key it should replace the running kernel with another one |
15 |
incl. initramfs from the harddrive using kexec from the encrypted partition. |
16 |
|
17 |
Basically I have this setup running. One problem is, I'd have to compile |
18 |
kexec-tools with a non-hardened toolchain. (see bug #183062) |
19 |
|
20 |
But now I'm wondering what security implications I get by doing it this way. |
21 |
What for problems do you see by doing it this way? Would it be a better idea |
22 |
to just forget about that stuff and stay with an external /boot. |
23 |
|
24 |
Thanks! |
25 |
Marcel |