On Sat, Jun 20, 2020 at 11:07:32 CEST, d.eltzner@xxxxxx wrote: > Thanks a lot for the clarification! > > On 20.06.20 08:10, Arno Wagner wrote: > > I have a scenario: Put the initrd on USB-stick, remove it after > > boot and secure the USB-stick physically (safe) when not in use. > > I actually did that set-up for somebody. This is not perfect either, > > but makes attacks that rely on manipulating the disk directly a lot > > harder. > You mean because the initrd is somewhat safe from manipulation in this > scenario? Wouldn't you have to do the same for the kernel then? Yes. The kernel also goes on that stick. Grub does too, if it is used for booting. > > But what do you use to unlock it? Something needs to run > > cryptsetup for that unlocking action. > > The Arch way seems to be to do this via the initrd which in a "default" > setup resides on a dedicated /boot. I figure that might be good enough > for me then. Very likely. Regards, Arno > > Best Wishes > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
