On 29.12.2009, Arno Wagner wrote: > I don't agree. But you have to think outside of the box and use a > separate, uncompromised boot medium that the attacker did not have > access to. Sorry, but I can't see how this would help. The attacker installs a hardware keylogger and just doesn't care. It's a matter of concept: before a security solution is implemented, a risk analysis has to be done. To have /boot on an external medium or to store checksums of the unencrypted files on a CD/DVD/stick is fine, as long as the risk it carries is accepted, along with the worst case scenario under given circumstances. It's up to the operator. For total security, the machine is regarded compromised if access to it ever has been granted. As a last consequence, it's impossible to detect if the machine has been tampered with. _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
