From: "JT Morée" <moreejt@yahoo.com>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] FAQ 2.2 Scenario (1) - clarification concerning "encrypted root"
Date: Sat, 20 Jun 2020 17:26:32 +0000 (UTC) [thread overview]
Message-ID: <800292998.974117.1592673992765@mail.yahoo.com> (raw)
In-Reply-To: <20200620094602.GA16098@tansi.org>
I'm working through a setup right now and documenting at https://sites.google.com/site/jtmoree/knowledge-base/smart-cards-and-linux/kubuntu-20-04
I am using the smartcard to unlock root during the boot process. this is done by the kernel and initrd using out of the box tools and processes.
in this setup /boot is in the clear and I have some ideas for signing the kernel+initrd with the smart card, then verifying on boot. will update the link if I get that working.
JT
On Saturday, June 20, 2020, 2:48:53 AM MST, Arno Wagner <arno@wagner.name> wrote:
On Sat, Jun 20, 2020 at 11:07:32 CEST, d.eltzner@gmx.de wrote:
> Thanks a lot for the clarification!
>
> On 20.06.20 08:10, Arno Wagner wrote:
> > I have a scenario: Put the initrd on USB-stick, remove it after
> > boot and secure the USB-stick physically (safe) when not in use.
> > I actually did that set-up for somebody. This is not perfect either,
> > but makes attacks that rely on manipulating the disk directly a lot
> > harder.
> You mean because the initrd is somewhat safe from manipulation in this
> scenario? Wouldn't you have to do the same for the kernel then?
Yes. The kernel also goes on that stick. Grub does too, if it is
used for booting.
> > But what do you use to unlock it? Something needs to run
> > cryptsetup for that unlocking action.
>
> The Arch way seems to be to do this via the initrd which in a "default"
> setup resides on a dedicated /boot. I figure that might be good enough
> for me then.
Very likely.
Regards,
Arno
>
> Best Wishes
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
_______________________________________________
dm-crypt mailing list
dm-crypt@saout.de
https://www.saout.de/mailman/listinfo/dm-crypt
next prev parent reply other threads:[~2020-06-20 17:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 20:45 [dm-crypt] FAQ 2.2 Scenario (1) - clarification concerning "encrypted root" d.eltzner
2020-06-20 6:10 ` Arno Wagner
2020-06-20 9:07 ` d.eltzner
2020-06-20 9:46 ` Arno Wagner
2020-06-20 17:26 ` JT Morée [this message]
2020-06-20 23:53 ` Arno Wagner
2020-06-21 20:20 ` moreejt
2020-06-22 7:33 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=800292998.974117.1592673992765@mail.yahoo.com \
--to=moreejt@yahoo.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox