[10:48] Morning peoples, critters and everything else [14:40] Anyone booting with /boot on an encrypted partition? [14:57] ahoy [15:25] ChinnoDog: I do [15:25] Wait [15:25] I have [15:25] I don't anymore because it was a pita and not worth it [15:25] because chances are nothing on /boot is /that/ important anyway [15:28] jthan: I think the idea behind encrypting /boot is to protect the OS area, ie: if I get ahold of your computer and you haven't gotten /boot encrypted, I could muck with the environment itself [15:29] but if / is still encrypted [15:29] your data is protected still [15:29] until I give you a bad kernel? [15:29] That and it is annoying to randomly run out of space on /boot [15:29] What's a bad kernel going to do? [15:29] Also if you use btrfs snapshots and root is a separate partition then reverting to a previous snapshot will not revert your kernel [15:29] ugh don't use btrfs yet. lol [15:30] In any case, what do you have to do to get grub to boot from your encrypted partition? [15:30] I think the problem is that it won't load cryptodisk because running "ls" at the grub prompt doesn't show they decrypted block device [15:31] ChinnoDog: linux /vmlinuz-linux root=UUID=f3a0f99b-56ac-495b-98e1-2ec2c160b008 rw cryptdevice=/dev/sda2:cryptroot quiet [15:32] however it depends which method to encrypt it in the first place you used [15:32] That is the boot string but it doesn't seem to work when I enable cryptodisk in /etc/defaults/grub [15:32] icey: You can give me a bad kernel but my data is still safe and that's more important to me. [15:33] jthan: until you boot my malicious thing and get your data that way? [15:33] icey: your malicious thing is still going to decrypt my /? [15:33] ChinnoDog: jonathan@karma:~$ cat /etc/default/grub | grep -i crypt [15:33] GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:cryptroot" [15:33] Did that [15:33] that's all I've got [15:33] hmm [15:33] and it Just Works(TM) [15:33] jthan: ideally, you don't know it's malicious and you decrypt it yourself ;-) [15:34] icey: Yeah, but if someone had their hands on my laptop the last thing I'm going to do is log in. However, I'm curious if you're referring to a specific exploit or have done this [15:34] I tried to do it with Ubuntu 16.04 at install. Chrooted to disk after installation and made those modifications but it doesn't work. I guess I will have to debug it further. [15:35] I always setup my partitioning and encrypted volumes and then install [15:35] idk how flexible the Ubuntu installer is [15:35] jthan: haven't, just considering the theoretical reason for encrypted /boot; do you mean that you would reformat the device if somebody else had unrestricted access to your machine for ...say 10 minutes? [15:35] jthan: What if a boot sector virus patches your /boot before grub loads? [15:35] icey: nobody would, first of all. But second of all, what's low level enough that you're going to be able to use entirely system calls that will send you my password [15:35] Which, btw, is a one-use password [15:35] I just think you're proposing something that isn't actually plausible. [15:36] jthan: how do you encrypt the device with an OTP? [15:36] Not "one time" [15:36] I said one use [15:36] it's the only place that password is used. [15:36] ah, cool [15:36] So you could get it, but unless you're on my laptop again it's a no go [15:36] but I also VERY highly doubt anyone would be on my laptop without me sitting there [15:37] and if they were, I'm dead and no longer care, but still encourage anyone to try. [15:37] There are a lot of measures in place on $worklaptop to protect me and my data [17:03] icey: there are boot-time verifiers that attempt to mitigate evil maid attacks as well, i.e. https://github.com/grazzolini/mkinitcpio-chkcryptoboot === r00t^2_ is now known as r00t^2