I'm working through a setup right now and documenting at https://sites.google.com/site/jtmoree/knowledge-base/smart-cards-and-linux/kubuntu-20-04 I am using the smartcard to unlock root during the boot process. this is done by the kernel and initrd using out of the box tools and processes. in this setup /boot is in the clear and I have some ideas for signing the kernel+initrd with the smart card, then verifying on boot. will update the link if I get that working. JT On Saturday, June 20, 2020, 2:48:53 AM MST, Arno Wagner <arno@xxxxxxxxxxx> wrote: On Sat, Jun 20, 2020 at 11:07:32 CEST, d.eltzner@xxxxxx wrote: > Thanks a lot for the clarification! > > On 20.06.20 08:10, Arno Wagner wrote: > > I have a scenario: Put the initrd on USB-stick, remove it after > > boot and secure the USB-stick physically (safe) when not in use. > > I actually did that set-up for somebody. This is not perfect either, > > but makes attacks that rely on manipulating the disk directly a lot > > harder. > You mean because the initrd is somewhat safe from manipulation in this > scenario? Wouldn't you have to do the same for the kernel then? Yes. The kernel also goes on that stick. Grub does too, if it is used for booting. > > But what do you use to unlock it? Something needs to run > > cryptsetup for that unlocking action. > > The Arch way seems to be to do this via the initrd which in a "default" > setup resides on a dedicated /boot. I figure that might be good enough > for me then. Very likely. Regards, Arno > > Best Wishes > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > https://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
