Hi. On Tue, Dec 26, 2017 at 11:36:13AM +0100, to...@tuxteam.de wrote: > On Tue, Dec 26, 2017 at 10:42:46AM +0100, Pascal Hambourg wrote: > > Le 26/12/2017 à 02:47, microsoft gaofei a écrit : > > >https://wiki.archlinux.org/index.php/GRUB#Boot_partition > > >ArchWiki has carried an introduction of GRUB , it offers a feature to > > >decrypt your partitions and you don't need to separate /boot . Debian also > > >uses GRUB as its boot loader ,but Debian still separates /boot partition > > >and leave it unencrypted > > [...] > > > Note however that in any case, the early part of GRUB cannot be > > encrypted [...] > > Is there any inherent advantage to having /boot encrypted?
Presumably it should help with scenario such as [1]. But, as [2] shows us, the protection that's offered by encrypted boot is incomplete as it relies on the fact that the bootloader (GRUB) was not touched. [1] http://searchsecurity.techtarget.com/definition/evil-maid-attack [2] https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html Reco
