On Tue, Feb 04, 2025 at 12:18:10AM -0800, Loren M. Lang wrote: > On Mon, Feb 03, 2025 at 10:39:25PM +0000, Automætic wrote: > > Hi, > > > > I'm configuring a new Debian installation on my workstation, with both the > > /boot partition and the root filesystem encrypted: > > - /dev/nvme0n1p1 -> /EFI > > - /dev/nvme0n1p2 -> LUKS2 (pbkdf2) -> /boot > > - /dev/nvme0n1p3 -> LUKS2 -> LVM containing root and other volumes > > > > The system boots, but requires entering the /boot password twice: > > Once for GRUB, and once again during systemd initialization. > > I think the solution is to not encrypt the /boot partition. That > partition shouldn't contain anything sensitive on it anyways [...]
That's what I do currently, but to be fair, this exposes you to someone replacing your boot kit by something else (which could, for example, record your passphrase and pass it on). This can also, of course, be mitigated by some secure boot schema (provided you control your BIOS -- most of the time it's someone else, anyway ;-) This has been known by the (somewhat sexist) term "Evil Maid Attack" [1]. It all depends on the threat model(s) you start from. Cheers [1] https://en.wikipedia.org/wiki/Evil_Maid_attack -- t
signature.asc
Description: PGP signature
