From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-140966-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E7430138010
	for <garchives@archives.gentoo.org>; Tue,  4 Sep 2012 19:20:06 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 618E7E0527;
	Tue,  4 Sep 2012 19:19:28 +0000 (UTC)
Received: from mx1.hadt.biz (sil.hadt.biz [5.9.16.100])
	by pigeon.gentoo.org (Postfix) with ESMTP id C3CE8E00B5
	for <gentoo-user@lists.gentoo.org>; Tue,  4 Sep 2012 18:48:23 +0000 (UTC)
Received: from [192.168.255.100] (p5B340F16.dip.t-dialin.net [91.52.15.22])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.hadt.biz (Postfix) with ESMTPSA id C44A140037
	for <gentoo-user@lists.gentoo.org>; Tue,  4 Sep 2012 20:48:21 +0200 (CEST)
Message-ID: <50464CF5.6050309@hadt.biz>
Date: Tue, 04 Sep 2012 20:48:21 +0200
From: Michael Hampicke <gentoo-user@hadt.biz>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120903 Thunderbird/15.0
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal
 go?
References: <trinity-d4c8875e-6af1-4873-9151-83c82e7599a8-1346703623543@3capp-webde-bs27> <trinity-aebe8c59-aa7a-40ec-b60b-ae9e5d9f11e7-1346704595742@3capp-webde-bs27>, <504518A3.7000207@binarywings.net>, <trinity-f7c5ffa7-f823-43b1-bfbf-b4a799518634-1346707396655@3capp-webde-bs10>, <trinity-8e19d4ef-013d-477c-b7d0-00b1ccde2379-1346710378063@3capp-webde-bs10> <trinity-f97ea7f1-e1b2-440e-b75e-8c9ca0bb0f6c-1346766507789@3capp-webde-bs10> <50463C4C.6040602@fu-berlin.de>
In-Reply-To: <50463C4C.6040602@fu-berlin.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Archives-Salt: e8ab25fb-f091-41f8-9445-238e468e7bd1
X-Archives-Hash: da2c597c51a4e6d64ffd9d1bd6713c87

> In theory grub2 is able to open a luks-encrypted volume though it
> seems to have some disadvantages: you'll need to enter the passphrase
> (or pass the keyfile) two times, because grub itself needs to decrypt
> the volume to get the later stages from the encrypted volume and
> afterwards the decryption in the bootprocess itself takes place.
> 
> I can't give any real advice about it though, because I use an
> unencrypted boot partition. Depending on your needs it could be an
> increase of security, because you can stop an attacker from injecting
> malicious code into your kernel (or replace it completely).

I don't think so, I still can replace your bootloader and grab your
password. If you really think you might need something like this, I
suggest you put your kernel and bootloader on a USB stick and boot your
machine from that. When not in use keep the stick on your person.

That still does not protect you from physically tempering with your device.

Anyway, what about one those fancy tin foil hats to protect oneself
against the governments mind control rays :)