-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 21/11/2015 1:59 PM, David Christensen wrote: > On 11/20/2015 01:04 AM, Pascal Hambourg wrote: >> Anyone with physical access can do whatever they want. You can >> set up restrictions in the BIOS or set restrictions in the boot >> loader, but they still can take the disk out and read or modify >> it with another machine. >> >> To protect against this you can use encryption or set up a >> password on the disk (ATA security functions). Note that >> encryption alone does not protect against tampering, as the boot >> part cannot be encrypted. > > As I understand it, self-encrypting drives (SED) encrypt > everything (including the boot partition). You can do full disk enccryption, but you are right that you need something to "boot" ... my solution is to use dropbear which offers an ssh login via an authorized key; once I'm logged in to that mini-environment, I then unlock LUKS volumes and go forward from there. Dropbear saves me from needing physical access to a keyboard on the server and negates the need for BIOS involvement. Kind Regards AndrewM -----BEGIN PGP SIGNATURE----- iF4EAREIAAYFAlZQdEoACgkQqBZry7fv4vtqfQD+NP8ZZScwUJtqJqaldyFZ29Mb 2vnetS1Tc/6OXZeDxpgA/iO8/TnHWtpOguY2mI5uaHB1IoANC9Gup4LKHBmCxk8y =VduW -----END PGP SIGNATURE-----
