| 1 |
> In theory grub2 is able to open a luks-encrypted volume though it |
| 2 |
> seems to have some disadvantages: you'll need to enter the passphrase |
| 3 |
> (or pass the keyfile) two times, because grub itself needs to decrypt |
| 4 |
> the volume to get the later stages from the encrypted volume and |
| 5 |
> afterwards the decryption in the bootprocess itself takes place. |
| 6 |
> |
| 7 |
> I can't give any real advice about it though, because I use an |
| 8 |
> unencrypted boot partition. Depending on your needs it could be an |
| 9 |
> increase of security, because you can stop an attacker from injecting |
| 10 |
> malicious code into your kernel (or replace it completely). |
| 11 |
|
| 12 |
I don't think so, I still can replace your bootloader and grab your |
| 13 |
password. If you really think you might need something like this, I |
| 14 |
suggest you put your kernel and bootloader on a USB stick and boot your |
| 15 |
machine from that. When not in use keep the stick on your person. |
| 16 |
|
| 17 |
That still does not protect you from physically tempering with your device. |
| 18 |
|
| 19 |
Anyway, what about one those fancy tin foil hats to protect oneself |
| 20 |
against the governments mind control rays :) |
Archives