1 |
On 06/06/2020 21:12, Rich Freeman wrote: |
2 |
> To do this I'm just going to store my |
3 |
> keys on the root filesystem so that the systems can be booted without |
4 |
> interaction. Obviously if somebody compromises the files with the |
5 |
> keys they can decrypt my drives, but this means that I just have to |
6 |
> protect a couple of SD cards which contain my root filesystems, |
7 |
> instead of worrying about each individual hard drive. The drives |
8 |
> themselves end up being much more secure, because the password used to |
9 |
> protect each drive is random and long - brute-forcing the password |
10 |
> will be no easier than brute-forcing AES itself. This doesn't protect |
11 |
> me at all if somebody breaks into my house and steals everything. |
12 |
|
13 |
On the other hand, if you're always present at boot, stick the keys on a |
14 |
USB that has to be in the laptop when it starts. If that's on your |
15 |
(physical) keyring, chances are it won't be compromised at the same time |
16 |
as the laptop - and hopefully the attacker won't realise it's needed for |
17 |
boot :-) |
18 |
|
19 |
(yes I know - security through obscurity is bad as your MAIN defence, |
20 |
but a few layers on top of something secure just makes life more of a |
21 |
pain for an attacker :-) |
22 |
|
23 |
Cheers, |
24 |
Wol |