[dm-crypt] unlocking dm-crypt from grub - kernel in crypted volume

Arno Wagner arno at wagner.name
Tue Aug 23 15:05:08 CEST 2011

Quite frankly, I doubt this increses security significantly.

An attacker could just manipulate the grub image and pretend to
do decryption while really loading a compromised kernel. 
It would also be possible to patch grub so that it runs a 
kernel-patcher after decryption and before starting the kernel.

I think both options are not really more difficult than
patching a not encrypted kernel.

The bottom line is still that if an attacker has access and 
then you continue to use your computer, you are screwed.
Disk encryption only protects you if you know that the
attacker had access, e.g. when your laptop is stolen. If
you do not realize an attacker had access, anything is 


On Tue, Aug 23, 2011 at 11:14:06AM +0200, Olivier Sessink wrote:
> Hi all,
> There seems to be some support for dm-crypt in grub, such that you
> can store the kernel in the encrypted volume, and only have grub
> unencrypted. This makes the attack vector a lot smaller, however, it
> is unclear to me if there is any development on this subject. For
> example passing the password in a safe way from grub to the kernel
> might be useful to make such a solution acceptable for end users.
> Is there news on this development?
> Olivier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

More information about the dm-crypt mailing list