From: Pierre Neidhardt <mail@ambrevar.xyz>
To: Ellen Papsch <ellen.papsch@wine-logistix.de>, guix-devel@gnu.org
Subject: Re: Unencrypted boot with encrypted root
Date: Fri, 03 Apr 2020 18:13:01 +0200 [thread overview]
Message-ID: <87k12wsg36.fsf@ambrevar.xyz> (raw)
In-Reply-To: <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de>
[-- Attachment #1: Type: text/plain, Size: 1534 bytes --]
Ellen Papsch <ellen.papsch@wine-logistix.de> writes:
> leaving /boot unencrypted allows attackers to plant malware relatively
> easy. They can mount the partition without ado and replace the kernel
> with a malicious one.
How can you do that if the root partition is encrypted?
> On a more serious note and to answer your question, unencrypted /boot
> is an option. Another is to have a key file on an external medium. This
> doesn't avoid the second wait. The long wait may be due to --iter-time
> option to cryptsetup luksFormat. I haven't looked what the default is
> in Guix. The Grub decryption code is also purported to be slow [no
> source].
Thanks for the hint, I'll look into it.
> For a long time I personally used root encrypted systems and found the
> hassle not worth it. Encrypting /home and external hard drives should
> cut it. If you suspect the machine has been tampered with, don't boot
> don't touch it. Even the hard disk firmware may have been modified.
My main motivation is that if my laptop gets stolen or lost, I don't want
anyone to access my personal data.
Encrypted /home is fine for this purpose.
By the way, is it possible to use the user password to unlock the $HOME partition?
> Don't think you are in danger of being targeted? Well, you already are!
> Your mail often gets into my spam folder because of "suspicious TLD
> .xyz". That should be very telling ;-))
Yup, this has been a hassle for a while... :(
--
Pierre Neidhardt
https://ambrevar.xyz/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
next prev parent reply other threads:[~2020-04-03 16:13 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-02 8:59 Unencrypted boot with encrypted root Pierre Neidhardt
2020-04-03 15:32 ` pelzflorian (Florian Pelz)
2020-04-03 15:44 ` Ellen Papsch
2020-04-03 16:13 ` Pierre Neidhardt [this message]
2020-04-03 17:16 ` Ellen Papsch
2020-04-03 19:56 ` Guillaume Le Vaillant
2020-04-04 9:02 ` Pierre Neidhardt
2020-05-17 15:39 ` Pierre Neidhardt
2020-05-20 8:49 ` Guillaume Le Vaillant
2020-05-20 9:42 ` Pierre Neidhardt
2020-04-03 19:44 ` pelzflorian (Florian Pelz)
2020-04-04 8:12 ` Ellen Papsch
2020-04-04 10:18 ` pelzflorian (Florian Pelz)
2020-04-06 12:00 ` Ellen Papsch
2020-04-07 9:46 ` Ludovic Courtès
2020-04-07 11:34 ` Ellen Papsch
2020-04-07 20:19 ` Ludovic Courtès
2020-04-08 12:37 ` Ellen Papsch
2020-04-07 15:05 ` Alex Griffin
2020-04-07 16:47 ` Vagrant Cascadian
2020-04-08 12:25 ` Ellen Papsch
2020-04-08 15:07 ` Alex Griffin
2020-04-08 16:22 ` Vagrant Cascadian
2020-04-08 7:57 ` Pierre Neidhardt
2020-04-08 12:19 ` Alex Griffin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k12wsg36.fsf@ambrevar.xyz \
--to=mail@ambrevar.xyz \
--cc=ellen.papsch@wine-logistix.de \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.