From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <arno@wagner.name>
Received: from v1.tansi.org (mail.tansi.org [84.19.178.47])
 by mail.server123.net (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Sat, 20 Jun 2020 11:46:03 +0200 (CEST)
Received: from gatewagner.dyndns.org (81-6-44-245.init7.net [81.6.44.245])
 by v1.tansi.org (Postfix) with ESMTPA id AACBA1400D2
 for <dm-crypt@saout.de>; Sat, 20 Jun 2020 11:46:01 +0200 (CEST)
Date: Sat, 20 Jun 2020 11:46:02 +0200
From: Arno Wagner <arno@wagner.name>
Message-ID: <20200620094602.GA16098@tansi.org>
References: <455a1ea8-550c-9259-3a6c-7a945b3b005e@gmx.de>
 <20200620061031.GA13611@tansi.org>
 <8b38a6cf-3b39-9c08-2b0f-d3a3a22f1352@gmx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <8b38a6cf-3b39-9c08-2b0f-d3a3a22f1352@gmx.de>
Subject: Re: [dm-crypt] FAQ 2.2 Scenario (1) - clarification concerning
 "encrypted root"
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <https://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <https://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <https://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Sat, Jun 20, 2020 at 11:07:32 CEST, d.eltzner@gmx.de wrote:
> Thanks a lot for the clarification!
> 
> On 20.06.20 08:10, Arno Wagner wrote:
> > I have a scenario: Put the initrd on USB-stick, remove it after
> > boot and secure the USB-stick physically (safe) when not in use.
> > I actually did that set-up for somebody. This is not perfect either, 
> > but makes attacks that rely on manipulating the disk directly a lot 
> > harder.
> You mean because the initrd is somewhat safe from manipulation in this
> scenario? Wouldn't you have to do the same for the kernel then?

Yes. The kernel also goes on that stick. Grub does too, if it is
used for booting.
 
> > But what do you use to unlock it? Something needs to run 
> > cryptsetup for that unlocking action.
> 
> The Arch way seems to be to do this via the initrd which in a "default"
> setup resides on a dedicated /boot. I figure that might be good enough
> for me then.

Very likely.

Regards,
Arno

> 
> Best Wishes
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier