[dm-crypt] encrypted root: prevent / detect tampering with kernel / initrd
Olivier Sessink
oliviersessink at gmail.com
Wed Dec 30 00:02:22 CET 2009
Heinz Diehl wrote:
> On 29.12.2009, Arno Wagner wrote:
>
>> I don't agree. But you have to think outside of the box and use a
>> separate, uncompromised boot medium that the attacker did not have
>> access to.
>
> Sorry, but I can't see how this would help. The attacker installs a
> hardware keylogger and just doesn't care.
I don't see the averae script kiddie install a hardware keylogger in a
modern laptop.
If you have an intelligence agency after you you're screwed anyway.
They'll use a tempest attack or something so you won't even notice that
you gave them your password (I don't have a tempest proof room in my
house, perhaps other people have?).
So it's a matter of security management. For highly confidential data
you need ($$$) a tempest proof environment with armed guards. For only
slightly sensitive data, simple disk encryption and some measures
against script kiddies are usually enough.
Olivier
More information about the dm-crypt
mailing list