From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pierre Neidhardt Subject: Re: Unencrypted boot with encrypted root Date: Fri, 03 Apr 2020 18:13:01 +0200 Message-ID: <87k12wsg36.fsf@ambrevar.xyz> References: <87ftdmi7pp.fsf@ambrevar.xyz> <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:34764) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jKOwO-0008FP-1D for guix-devel@gnu.org; Fri, 03 Apr 2020 12:13:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1jKOwM-0004OQ-8L for guix-devel@gnu.org; Fri, 03 Apr 2020 12:13:07 -0400 Received: from relay11.mail.gandi.net ([217.70.178.231]:46751) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1jKOwM-0004Jv-1P for guix-devel@gnu.org; Fri, 03 Apr 2020 12:13:06 -0400 In-Reply-To: <17c316adc8485d1f09f70d291cfaad50258c6c1f.camel@wine-logistix.de> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane-mx.org@gnu.org Sender: "Guix-devel" To: Ellen Papsch , guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Ellen Papsch writes: > leaving /boot unencrypted allows attackers to plant malware relatively > easy. They can mount the partition without ado and replace the kernel > with a malicious one. How can you do that if the root partition is encrypted? > On a more serious note and to answer your question, unencrypted /boot > is an option. Another is to have a key file on an external medium. This > doesn't avoid the second wait. The long wait may be due to --iter-time > option to cryptsetup luksFormat. I haven't looked what the default is > in Guix. The Grub decryption code is also purported to be slow [no > source]. Thanks for the hint, I'll look into it. > For a long time I personally used root encrypted systems and found the > hassle not worth it. Encrypting /home and external hard drives should > cut it. If you suspect the machine has been tampered with, don't boot > don't touch it. Even the hard disk firmware may have been modified. My main motivation is that if my laptop gets stolen or lost, I don't want anyone to access my personal data. Encrypted /home is fine for this purpose. By the way, is it possible to use the user password to unlock the $HOME par= tition? > Don't think you are in danger of being targeted? Well, you already are! > Your mail often gets into my spam folder because of "suspicious TLD > .xyz". That should be very telling ;-)) Yup, this has been a hassle for a while... :( =2D-=20 Pierre Neidhardt https://ambrevar.xyz/ --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEUPM+LlsMPZAEJKvom9z0l6S7zH8FAl6HYI0ACgkQm9z0l6S7 zH/cbggAgbJwn1DeWB3FWxx5a2um6qL6N/RbAxkORK/65jXzrBgo1tgfPuU6Bs7r UtZYUDDhsIWpxMXritCni6/C0ZAdcy1q3OHTkaDdfPz560cgiFxK5xUworyVerbq g818RW5Kn+QyfO7kk+C5x/ODRUjw7eN1gApjl4nj2G0+seZNtLcp/t7W4AZ2d8ww 7jyT+s3wSBLRmo+VAB5KY2tdGkAuUdW5MzLQi05/G7bGcUqS/3bkXWiYzV0Age8V K4RqDdo/3f8Eu8JoG6ZAx1TNM51AdQpUKOnnBdXAQ+cDK+HJBQiTuHOzZd/qqVI6 5UB2njOg3DkEQcZTaqfhB+XkCy/85Q== =Bwrd -----END PGP SIGNATURE----- --=-=-=--