On Fri, 8 Jan 2010 11:49:35 -0700 Matthew Moore <anonymous.jon...@gmail.com> wrote:
> On Friday January 8 2010 4:41:54 am Sjors van der Pluijm wrote: > > Just found out that /boot should not be in LVM because bootloaders might > > not understand it. /boot unencrypted does not seem to be the end of the > > world. http://tldp.org/HOWTO/LVM-HOWTO/benefitsoflvmsmall.html > > Since we are being paranoid, what happens if the NSA breaks into your home > when you are asleep and installs a hypervisor on your /boot that records your > password/keyfile next time you derypt? This is the "evil maid attack": http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html > The way that I have heard to prevent this type of attack is to store > checksums > of every file in /boot on the encrypted partition and then verify those > checksums on startup. I don't think that this will work, at least not without considerably more work; the attacker can design the evil bootloader to wipe itself out and replace the original bootloader files before booting the system. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
