Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Nightmare moving /boot to USB to prevent "Evil Maid" attacks

  • 21-05-2015 10:32am
    #1
    anvilfour
    Closed Accounts Posts: 720 ✭✭✭


    Dear all,

    I imagine that many of you, like me use full disk encryption on your devices.

    As you know, one of the drawbacks to this, is that you do need to have an unencrypted boot partition to load the system in the first place. If this can be tampered with by your friendly neighbourhood government stooge, then it may be possible to recover your password (see : Evil Maid attack).

    One solution against this form of attack is to make sure that you put your /boot partition on a removable device such as a USB key. You'd need to plug this in each time you start up your computer, but provided you keep the key on you at all times, then you hugely reduce the chance of someone being able to tamper with /boot in this way.

    To this end, I tried to follow the instructions here without success, so decided to do a clean install of Linux.

    In theory at least, placing /boot on a USB stick for Debian based linux is extremely simple... in the setup process, you can just choose manual partitioning and then there is a small drop down menu to choose the USB stick.

    However over the past few days I have tried doing this with any number of distros (Debian 6, Debian 8, Linux Mint 17, Linux Mint Debian Edition)... and the system has failed to boot in each case.

    The only time I have managed to get this to work was with Lubuntu 13.10 (Saucy Salamander), which I have now managed to upgrade to a LTS version.

    Aside from feeling that this should be a lot easier(!) I have been wondering if any of you have had the same issue? I didn't do anything different for Lubuntu 13.10, same USB stick and so on but it worked perfectly moving /boot onto the USB whereas it didn't for other versions of Linux...

    Have any of you tried to do this before?


Comments

  • #2
    Blowfish
    Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    If your only concern is the unencrypted boot partition, then why not just use a SED?


  • #3
    anvilfour
    Closed Accounts Posts: 720 ✭✭✭anvilfour


    Blowfish wrote: »
    If your only concern is the unencrypted boot partition, then why not just use a SED?

    To be honest it's not my only concern, I'd like to use dm-crypt in the long run so the drive just appears to contain random data but this is a start! :)

    Thank you for the suggestion in any case Blowfish, I'll see if I can work it into the household budget. :-D


Advertisement