On Thu, Nov 04, 2010 at 01:57:23PM +0100, Mario 'BitKoenig' Holbe wrote: > Heinz Diehl <htd@xxxxxxxxxxxxxxxxx> wrote: > > On 04.11.2010, Arno Wagner wrote: > >> Having a not completely encrypted initrd and kernel does > > How would you boot such a system when initramfs / initrd is encrypted? > > Enable your boot-loader to decrypt it. Meanwhile, grub can do this. One other option is trusted hardware, that can do the initial decryption. > This somewhat reduces but, of course, not eliminates the trust-problem: > instead of having to trust your hardware, BIOS, boot-loader, kernel, and > initramfs, you now have to trust your hardware, BIOS, and boot-loader > only. I completely agree. And with trusted hardware, you still have to trust the hardware. However, there is some (limited) benefit, namely the earlier in the boot process, the harder it gets for an attacker, i.e. the more expensive. Also, with good trusted hardware, remote attacks become infeasible and you have to physically access the hardware. The same could be done with booting from a write-protected memory stick or CD/DVD. In all cases a class vulnerability remains, namely that everything is open once the system runs. This is one reason, why encrypted root is basically only worthwhile if the attacker _has_ physical access. But in that case a whole set of new attacks become possible, that encryption does not help against, such as hardware-keyloggers, patched BIOSes, changes to your read-only boot-medium, etc.. I doubt that system encryption does help a lot in cases other than when the complete system gets stolen (laptop). But then normal system encryption for Windoes (e.g. TrueCrytp), and data+tmp+var+swap encryption for Linux is quite enough. Side note: Benefit of a chipcard in the scope of disk encryption is that people that have trouble with passwords do not need to remember them. I really don't see any other. This can be a valid application, though. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
