undefined | Better HN

0 pointsxondono5y ago0 comments

I’m guessing this setup makes sense with encrypted disk, that way, since decryption keys are on the CD, you can’t access the files without it.

0 comments

tenebrisalietum5y ago

Well the way it works in Linux is a user-space program in the initrd (which is the initial rootfs) will ask for password to unlock LUKS-encrypted rootfs, and then the initrd will mount the real rootfs at that point.

Since I have a physical trusted copy of that initrd with the kernel and bootloader that is safe.

DD-ing the whole drive is something I assumed Secure Boot doesn't protect as someone could remove the drive and do the same. Even if the drive, eMMC or flash is soldered to the board there's some way to get to it (desolder, JTAG pins, etc.)

j / k navigate · click thread line to collapse

0 comments

tenebrisalietum5y ago

Since I have a physical trusted copy of that initrd with the kernel and bootloader that is safe.

j / k navigate · click thread line to collapse