[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot] Password protected Grub entries
|
From: |
Beni |
|
Subject: |
Re: [Libreboot] Password protected Grub entries |
|
Date: |
Mon, 27 Apr 2015 06:47:51 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.6.0 |
On 04/27/2015 12:43 AM, The Gluglug wrote:
>
>
> On 21/03/15 07:49, Beni Keller wrote:
>> Hey all,
>
>> I followed this tutorial to get Trisquel on full disc encryption:
>
>> http://libreboot.org/docs/gnulinux/encrypted_trisquel.html
>
>> The problem now was that every time I boot I had to enter three
>> passwords. The Grub password first and then twice the encryption
>> password. So to reduce this to two passwords, I figured I don't
>> have to password protect the Grub entry that boots Trisquel on the
>> encrypted partition, since password protection should only keep
>> someone from booting my laptop from usb. So I edited the menu entry
>> in grub.cfg like this:
>
>
>> menuentry 'Load Operating System' --unrestricted { ...
>
>
>> So my question: Is there a reason this isn't included in the
>> tutorial? Did I somehow weaken the security of my system doing
>> this? If so, what's the possible attack that's prevented by
>> password protecting every grub entry?
>
>> Thanks,
>
>> Beni
>
>
> Press E on that menuentry, then modify stuff, and press F10. Does it
> work without entering a password? If so, then someone could boot USB.
>
No, all this does is allowing to boot said entry without a password. To
boot any other entry or to modify any entry you need the password. I
don't see any way to boot from USB. (Unless you remove the hard drive
and replace it with similarly configured USB drive. But that won't help
because already grub will fail to decrypt this drive with your
passphrase. So there is no way to intercept the passphrase.)