| 1 |
On 06/06/2020 21:12, Rich Freeman wrote: |
| 2 |
> To do this I'm just going to store my |
| 3 |
> keys on the root filesystem so that the systems can be booted without |
| 4 |
> interaction. Obviously if somebody compromises the files with the |
| 5 |
> keys they can decrypt my drives, but this means that I just have to |
| 6 |
> protect a couple of SD cards which contain my root filesystems, |
| 7 |
> instead of worrying about each individual hard drive. The drives |
| 8 |
> themselves end up being much more secure, because the password used to |
| 9 |
> protect each drive is random and long - brute-forcing the password |
| 10 |
> will be no easier than brute-forcing AES itself. This doesn't protect |
| 11 |
> me at all if somebody breaks into my house and steals everything. |
| 12 |
|
| 13 |
On the other hand, if you're always present at boot, stick the keys on a |
| 14 |
USB that has to be in the laptop when it starts. If that's on your |
| 15 |
(physical) keyring, chances are it won't be compromised at the same time |
| 16 |
as the laptop - and hopefully the attacker won't realise it's needed for |
| 17 |
boot :-) |
| 18 |
|
| 19 |
(yes I know - security through obscurity is bad as your MAIN defence, |
| 20 |
but a few layers on top of something secure just makes life more of a |
| 21 |
pain for an attacker :-) |
| 22 |
|
| 23 |
Cheers, |
| 24 |
Wol |
Archives