:: [DNG] booting security, encryption…
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MDidier Kryn at ->
Delete this message
Reply to this message
Author: karl
Date:  
To: dng
Old-Topics: Re: [DNG] About making /boot a mount point
Subject: [DNG] booting security, encryption (Re: About making /boot a mount point)
Didier:
...
>     I wonder if it is usefull to protect the boot process and the OS
> with encryption.

There will always be a layer below which might be hard to secure.
You have some kind of bios, well that can be replaced:
https://libreboot.org/
https://en.wikipedia.org/wiki/Das_U-Boot
but you still have microcode and HW.

> Isn't it enough to protect /home (and /srv) ? Anyway
> I've never tried encrypted filesystems. How would it work to encrypt /home?

Depends on if /home is automatically mounted (the key must be available
on the system somewhere), or if you have to be nearby and present the
encryption key when mounting it.

And, if you do a warm reset, the key is probably available if you scan
the system memory, eg. if you boot some spying program instead of the
kernel.

On a general layer you have:
https://en.wikipedia.org/wiki/Computer_security

Regarding /home, what is the cost for you if
. /home beeing removed, gone missing or becoming currupt ?
. someone else getting a copy of /home ?
If thoose costs are minimal, why bother. If not, fix the larger cost
first.

Regards,
/Karl Hammar


This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] /boot or not (was Re: usr-merge)Re: [DNG] /boot or not (was Re: usr-merge)->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)