[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot] Password protected Grub entries
From: |
Robert Alessi |
Subject: |
Re: [Libreboot] Password protected Grub entries |
Date: |
Sun, 24 May 2015 12:36:52 +0200 |
On Wed, May 20, 2015 at 12:34:34PM +0100, The Gluglug wrote:
> > In my opinion the danger of hard drive replacement is the same as
> > re-flashing the rom.
> >
>
> Exactly. That is why I recommended against using --unrestricted. They
> can replace your HDD, but the chances of them being able to replicate
> a correct GPG signature is very hard.
Very interesting and important thread. I would like to explain the
rationale which is behind the scenario I chose. Any thoughts or
feedback would be much appreciated.
So basically I am never without my X60s wherever I go: for example, I
may use it in the train, in classrooms or in conference rooms, namely
in various crowded places, not to mention airports or railway
stations where footages of everything you do are taken all the time.
Hence the idea that one should never enter any kind of login or
password in such places.
As I have only one fully encrypted partition on my hard drive, here is
how I achieved this:
- grub.cfg:
- password protected
- the first two entries have the --unrestricted option, but every
filesystem in them is identified by its UUID. Since it is
impossible to edit such an entry without having to enter the
password, I assume that an attacker is unlikely to boot another OS
after having replaced the hard drive. I may be wrong though.
- the first entry boots from a USB key where I have put the
kernel, and the initramfs which also contains the keyfile which
unlocks the encrypted partition.
This way, to boot my system without having to enter any password,
I just have to keep my USB key plugged. Of course, I am never
ever without this USB key; if for some reason I must leave it
somewhere, I always shred -z -u the initramfs file in it.
- the second entry accomplishes virtually the same scenario, but
from the internal drive: this way, I can boot my system by
entering a passphrase after I snuck in some hiding place.
- login: for the same rationale as above, I chose to use the fingerprint
reader device. I know that this is unsecure, but can't we say that
typing passwords into our computers is also insecure? And what about
typing passwords in open spaces with many people all around? To be
more specific, I only enable fprint authentication when I know that
I would otherwise have to enter my password under the eyes of other
people.
With many thanks in anticipation for your feedback!
Robert
pgpkiF8hLBtfg.pgp
Description: PGP signature
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/20
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/20
- Re: [Libreboot] Password protected Grub entries, Beni, 2015/05/20
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/20
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/20
- Re: [Libreboot] Password protected Grub entries, Beni, 2015/05/20
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/20
- Re: [Libreboot] Password protected Grub entries, Beni, 2015/05/20
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/24
- Re: [Libreboot] Password protected Grub entries,
Robert Alessi <=
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/24
- Re: [Libreboot] Password protected Grub entries, Will Hill, 2015/05/24
- Re: [Libreboot] Password protected Grub entries, Robert Alessi, 2015/05/28
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/28
- Re: [Libreboot] Password protected Grub entries, The Gluglug, 2015/05/28
- Re: [Libreboot] Password protected Grub entries, Robert Alessi, 2015/05/28
- Re: [Libreboot] Password protected Grub entries, t, 2015/05/28
- Re: [Libreboot] Password protected Grub entries, Robert Alessi, 2015/05/28
- Re: [Libreboot] Password protected Grub entries, Daniel Tarrero, 2015/05/29
- Re: [Libreboot] Password protected Grub entries, Will Hill, 2015/05/28