There is still an elephant in the room. What if someone has physical access to your machine's USB ports, and decides to boot something nasty from it, which in turn modifies the firmware in your system (very likely to be possible due to stupid "consumer-grade" junk like UEFI or OS-flashable BIOS without hardware write protection).
This infected firmware can then scan through any keys that you input, including the USB key disk, and the security of this 'softraid "firewall"' is now compromised. On Thu, 02 Feb 2017 10:43:34 +0800 Tinker <ti...@openmailbox.org> wrote: > On 2017-02-02 10:27, Tinker wrote: > .. > > My motivation here for wanting the boot code on the USB stick, is > > that I trust the USB stick more than my harddrive. > > Motivation: > > What I meant to say here is that I like the notion of the harddrive > as unsecure by definition, so that I only will trust its content > through the "firewall" of the softraid crypto mechanism. > > This is why I'm OK with storing softraid crypto data on the HDD but > not the boot code. > > The only thing, supposedly, that the HDD could do would be to give me > fake partition tables or partition data, and goofy partition data > could only meaningfully amount to a replay attack, so those would be > harmless in both cases. > > So this would (supposedly) cut out the harddrive from the chain of > attack vectors, and that can be an important step in the direction of > security. Of course there is a plethora of security problems in > addition to this one in any computer.
