Hi,
On Thu, 23.09.2010 at 15:13:06 +0100, Simon McVittie wrote:
> Needing an unencrypted /boot just means you have to distrust /boot after you
> lose and then regain control of your laptop.
this probably means that you have to do this everytime you've set the
device aside, or after you wake up
On Fri, Sep 24, 2010 at 3:11 PM, Roland Mas wrote:
> Could that be mitigated by the kernel maybe? Like, it could wipe the
> part(s) of the RAM where the key is stored before actually shutting
> down the host.
For the hibernate case, probably yes.
--
bye,
pabs
http://wiki.debian.org/PaulWise
Paul Wise, 2010-09-24 10:49:21 +0800 :
> On 9/24/10, Simon McVittie wrote:
>
>> Suspend-to-RAM also works, but is obviously not secure against attackers
>> waking up the laptop and exploiting some bug in a locked screensaver, or
>> remote access, or whatever.
>
> Don't forget about folks using co
On 9/24/10, Simon McVittie wrote:
> Suspend-to-RAM also works, but is obviously not secure against attackers
> waking up the laptop and exploiting some bug in a locked screensaver, or
> remote access, or whatever.
Don't forget about folks using cold boot attacks to grab your key from
RAM. I also
On Thu, 23 Sep 2010 at 17:31:39 +0200, Roland Mas wrote:
> Indeed. My current setup is that sda1 is small, unencrypted and holds
> /boot only. sda2 is the whole rest of the hard disk, and it's mapped to
> a LUKS device used as a physical volume for LVM, and there are several
> LVs on there, inclu
Mike Hommey, 2010-09-23 17:14:01 +0200 :
> On Thu, Sep 23, 2010 at 11:50:26PM +0900, Osamu Aoki wrote:
>> On Thu, Sep 23, 2010 at 03:13:06PM +0100, Simon McVittie wrote:
>> ...
>> > By policy, we use full-disk encryption at my workplace (where full-disk
>> > really means "except the bootloader and
On Thu, Sep 23, 2010 at 11:50:26PM +0900, Osamu Aoki wrote:
> On Thu, Sep 23, 2010 at 03:13:06PM +0100, Simon McVittie wrote:
> ...
> > By policy, we use full-disk encryption at my workplace (where full-disk
> > really means "except the bootloader and /boot"). For a 2-year-old recipe for
> > it, wh
On Thu, Sep 23, 2010 at 03:13:06PM +0100, Simon McVittie wrote:
...
> By policy, we use full-disk encryption at my workplace (where full-disk
> really means "except the bootloader and /boot"). For a 2-year-old recipe for
> it, which I believe still mostly works with grub2, see
> http://smcv.pseudor
(Context: a private mail to which I'm replying suggested that full-disk
encryption should be used to make it harder to subvert our infrastructure,
and worried about the use of an unencrypted /boot, since "they" could
insert a keylogger or trojan into the initrd.)
By policy, we use full-disk encryp
9 matches
Mail list logo
