[dm-crypt] encrypted root: prevent / detect tampering with kernel / initrd

Olivier Sessink oliviersessink at gmail.com
Wed Dec 30 00:02:22 CET 2009


Heinz Diehl wrote:
> On 29.12.2009, Arno Wagner wrote: 
> 
>> I don't agree. But you have to think outside of the box and use a
>> separate, uncompromised boot medium that the attacker did not have
>> access to.
> 
> Sorry, but I can't see how this would help. The attacker installs a
> hardware keylogger and just doesn't care.

I don't see the averae script kiddie install a hardware keylogger in a 
modern laptop.

If you have an intelligence agency after you you're screwed anyway. 
They'll use a tempest attack or something so you won't even notice that 
you gave them your password (I don't have a tempest proof room in my 
house, perhaps other people have?).

So it's a matter of security management. For highly confidential data 
you need ($$$) a tempest proof environment with armed guards. For only 
slightly sensitive data, simple disk encryption and some measures 
against script kiddies are usually enough.

Olivier


More information about the dm-crypt mailing list