[Discuss] encrypted linux systems
Edward Ned Harvey (blu)
blu at nedharvey.com
Tue Jan 28 11:44:08 EST 2014
> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Derek Atkins
>
> Note that this will allow you to encrypt all partitions except your
> /boot partition,
Also, depending on whether or not you care, this introduces a mode for attack. Because the kernel and initial environment can be tampered with in such a way that the user would not notice, and then the user happily types in password, which got recorded or communicated, etc.
The same problem is not true if you either (a) use TPM, which performs checksum on the pre-boot environment, and refuses to release key in the event of tampering (but TPM is primarily used by windows; I don't know any linux-based tools that use it) or (b) as suggested, use whole disk encryption such as PGP, or truecrypt (if truecrypt supports linux now.) Because the whole disk products must unlock the disk before the kernel or anything can start; hence they're protected from tampering.
More information about the Discuss
mailing list