From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-140972-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 43253138010
	for <garchives@archives.gentoo.org>; Tue,  4 Sep 2012 20:16:56 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A4B45E05D7;
	Tue,  4 Sep 2012 20:15:06 +0000 (UTC)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66])
	by pigeon.gentoo.org (Postfix) with ESMTP id 1E94DE03E4
	for <gentoo-user@lists.gentoo.org>; Tue,  4 Sep 2012 20:08:47 +0000 (UTC)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69])
          by outpost1.zedat.fu-berlin.de (Exim 4.69)
          for gentoo-user@lists.gentoo.org with esmtp
          (envelope-from <h.v.bruinehsen@fu-berlin.de>)
          id <1T8zQU-000519-1P>; Tue, 04 Sep 2012 22:08:46 +0200
Received: from dslb-188-103-204-228.pools.arcor-ip.net ([188.103.204.228] helo=[192.168.178.32])
          by inpost2.zedat.fu-berlin.de (Exim 4.69)
          for gentoo-user@lists.gentoo.org with esmtpsa
          (envelope-from <h.v.bruinehsen@fu-berlin.de>)
          id <1T8zQT-0000NU-RO>; Tue, 04 Sep 2012 22:08:46 +0200
Message-ID: <50465FC6.5050707@fu-berlin.de>
Date: Tue, 04 Sep 2012 22:08:38 +0200
From: Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120902 Thunderbird/15.0
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal
 go?
References: <trinity-d4c8875e-6af1-4873-9151-83c82e7599a8-1346703623543@3capp-webde-bs27> <trinity-aebe8c59-aa7a-40ec-b60b-ae9e5d9f11e7-1346704595742@3capp-webde-bs27>, <504518A3.7000207@binarywings.net>, <trinity-f7c5ffa7-f823-43b1-bfbf-b4a799518634-1346707396655@3capp-webde-bs10>, <trinity-8e19d4ef-013d-477c-b7d0-00b1ccde2379-1346710378063@3capp-webde-bs10> <trinity-f97ea7f1-e1b2-440e-b75e-8c9ca0bb0f6c-1346766507789@3capp-webde-bs10> <50463C4C.6040602@fu-berlin.de> <50464CF5.6050309@hadt.biz>
In-Reply-To: <50464CF5.6050309@hadt.biz>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: 188.103.204.228
X-Archives-Salt: a6194175-578a-4b67-ba57-f0142aa7d539
X-Archives-Hash: e23885f602a44ab4292e3423b0322078

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04.09.2012 20:48, Michael Hampicke wrote:
>> In theory grub2 is able to open a luks-encrypted volume though
>> it seems to have some disadvantages: you'll need to enter the
>> passphrase (or pass the keyfile) two times, because grub itself
>> needs to decrypt the volume to get the later stages from the
>> encrypted volume and afterwards the decryption in the bootprocess
>> itself takes place.
>> 
>> I can't give any real advice about it though, because I use an 
>> unencrypted boot partition. Depending on your needs it could be
>> an increase of security, because you can stop an attacker from
>> injecting malicious code into your kernel (or replace it
>> completely).
> 
> I don't think so, I still can replace your bootloader and grab
> your password. If you really think you might need something like
> this, I suggest you put your kernel and bootloader on a USB stick
> and boot your machine from that. When not in use keep the stick on
> your person.
> 
> That still does not protect you from physically tempering with your
> device.
> 
> Anyway, what about one those fancy tin foil hats to protect
> oneself against the governments mind control rays :)
> 

Ah yes - the aluminium foil deflector beanie
(http://zapatopi.net/afdb/)...

I just use it, when going out of my house or when updating my
MindGuard (http://zapatopi.net/mindguard/)


Enough fun - I just wanted to name the possibility because it's there
and it would't require you to repartition your drive.
I think it would be an increase in security nonetheless, though you're
correct: there are a lot more possible attack vectors with side
channel stuff getting very freaky indeed (i.e.: there is an
interesting paper about using the gyroscopes of a mobile telephone to
make a (>80%) correct guess about the pressed key)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQRl/GAAoJEJwwOFaNFkYcHbcH/i5ncHgButsE3ximu7Mdm113
ly0JVbINO4Bc7mkzj9eQAI8Ewr3JYhTpxpShfmWGGSBTTaAwltp1pYt+bj7xw3/E
+euJGjfffmcxsBkLtlaI5SQHvO/fNiKZ8cAga++HXtxWoJ/DTN5UBEmzI6xXm3Tk
RA6kGCDukiSpo4VjsfBMz1h8O9vtr2cgj4HlnOjNByzeSWk40XC9jKlSCLgjpkTp
pJNvY0qHE7hMZoH+S9Ai3ZDtDgHpcdtSCslJGiOGh16BBzhOyunDdj1SVfkSq0bg
1vKnqT6zQS0vSl3JyoP9zc8MOW9/IwK2anKRHhE817Y9rXrawsx1QwPu6xVLxe0=
=0NRV
-----END PGP SIGNATURE-----