(Context: a private mail to which I'm replying suggested that full-disk encryption should be used to make it harder to subvert our infrastructure, and worried about the use of an unencrypted /boot, since "they" could insert a keylogger or trojan into the initrd.)
By policy, we use full-disk encryption at my workplace (where full-disk really means "except the bootloader and /boot"). For a 2-year-old recipe for it, which I believe still mostly works with grub2, see http://smcv.pseudorandom.co.uk/2008/09/cryptroot/ Needing an unencrypted /boot just means you have to distrust /boot after you lose and then regain control of your laptop. The secrets in the encrypted part are still inaccessible, until or unless you enter your passphrase into the compromised /boot. If you assume that "they" haven't tampered with your BIOS or hardware and put a keylogger *there*, you can fix this situation with full tin-foil-hat compliance, if you've taken then precaution of having an always-up-to-date copy of /boot in the encrypted area. To do so, boot from removable media, access the encrypted area, overwrite the possibly-compromised /boot with the backup, and reinstall the bootloader and MBR. Simon
signature.asc
Description: Digital signature
