1 |
> In theory grub2 is able to open a luks-encrypted volume though it |
2 |
> seems to have some disadvantages: you'll need to enter the passphrase |
3 |
> (or pass the keyfile) two times, because grub itself needs to decrypt |
4 |
> the volume to get the later stages from the encrypted volume and |
5 |
> afterwards the decryption in the bootprocess itself takes place. |
6 |
> |
7 |
> I can't give any real advice about it though, because I use an |
8 |
> unencrypted boot partition. Depending on your needs it could be an |
9 |
> increase of security, because you can stop an attacker from injecting |
10 |
> malicious code into your kernel (or replace it completely). |
11 |
|
12 |
I don't think so, I still can replace your bootloader and grab your |
13 |
password. If you really think you might need something like this, I |
14 |
suggest you put your kernel and bootloader on a USB stick and boot your |
15 |
machine from that. When not in use keep the stick on your person. |
16 |
|
17 |
That still does not protect you from physically tempering with your device. |
18 |
|
19 |
Anyway, what about one those fancy tin foil hats to protect oneself |
20 |
against the governments mind control rays :) |