Thanks a lot for the clarification! On 20.06.20 08:10, Arno Wagner wrote: > I have a scenario: Put the initrd on USB-stick, remove it after > boot and secure the USB-stick physically (safe) when not in use. > I actually did that set-up for somebody. This is not perfect either, > but makes attacks that rely on manipulating the disk directly a lot > harder. You mean because the initrd is somewhat safe from manipulation in this scenario? Wouldn't you have to do the same for the kernel then? > But what do you use to unlock it? Something needs to run > cryptsetup for that unlocking action. The Arch way seems to be to do this via the initrd which in a "default" setup resides on a dedicated /boot. I figure that might be good enough for me then. Best Wishes _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
