Re: FAQ 2.2 Scenario (1) - clarification concerning "encrypted root"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jun 20, 2020 at 11:07:32 CEST, d.eltzner@xxxxxx wrote:
> Thanks a lot for the clarification!
> 
> On 20.06.20 08:10, Arno Wagner wrote:
> > I have a scenario: Put the initrd on USB-stick, remove it after
> > boot and secure the USB-stick physically (safe) when not in use.
> > I actually did that set-up for somebody. This is not perfect either, 
> > but makes attacks that rely on manipulating the disk directly a lot 
> > harder.
> You mean because the initrd is somewhat safe from manipulation in this
> scenario? Wouldn't you have to do the same for the kernel then?

Yes. The kernel also goes on that stick. Grub does too, if it is
used for booting.
 
> > But what do you use to unlock it? Something needs to run 
> > cryptsetup for that unlocking action.
> 
> The Arch way seems to be to do this via the initrd which in a "default"
> setup resides on a dedicated /boot. I figure that might be good enough
> for me then.

Very likely.

Regards,
Arno

> 
> Best Wishes
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> https://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@xxxxxxxxxxx
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt



[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux