Quite frankly, I doubt this increses security significantly. An attacker could just manipulate the grub image and pretend to do decryption while really loading a compromised kernel. It would also be possible to patch grub so that it runs a kernel-patcher after decryption and before starting the kernel. I think both options are not really more difficult than patching a not encrypted kernel. The bottom line is still that if an attacker has access and then you continue to use your computer, you are screwed. Disk encryption only protects you if you know that the attacker had access, e.g. when your laptop is stolen. If you do not realize an attacker had access, anything is possible. Arno On Tue, Aug 23, 2011 at 11:14:06AM +0200, Olivier Sessink wrote: > Hi all, > > There seems to be some support for dm-crypt in grub, such that you > can store the kernel in the encrypted volume, and only have grub > unencrypted. This makes the attack vector a lot smaller, however, it > is unclear to me if there is any development on this subject. For > example passing the password in a safe way from grub to the kernel > might be useful to make such a solution acceptable for end users. > > Is there news on this development? > > Olivier > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
