On 02/16/2017 02:17 AM, j...@vfemail.net wrote:
Thanks for answering, but i still have some questions:

(in any case, i will  use a pass phrase for aem.)

1) is there a difference between using an usb drive or using an
internal partition? (except of having a second device in case of an usb
drive)

Yes. You should keep your AEM boot with you on a separate device. If you
don't, an attacker could see your secret phrase by booting the system.

but isn't this the reason i am using a password for?
the aem data is protected by my aem pw.
after entering it, it is used to decrypt my secret + (somehow) check the
system integrity
if this fails, my aem pw is burned.
in case it succeeds, i enter my luks pw and the system data is encrypted.
at least this is how i understood it.

Actually, you're right... I didn't see your mention of the passphrase earlier. Its good that you're reading the material so carefully!

Even so, there is some risk associated with leaving the boot partition on the internal drive. An altered boot partition could prompt for the SRK phrase and then send your response over Wifi or other signal. This could be made to look like a glitch---computer reboots after prompt, etc.



This is also important if you want AEM to warn you after a /remote/
(non-Evil Maid) attack has affected your BIOS.

How does this work?

Its automatic. Just using AEM gives you 'protection' (i.e. warnings) for some remote attacks. Its not comprehensive, but IMO still valuable.


3) is unhiding my usb devices only required during aem setup? (i guess
so, but i thought, i would ask)

I think you refer to the option that suppresses USB devices during boot.

I refer to this (
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
110-120)

"
Note: If you choose to use a USB device (e.g., a flash drive) as your AEM
device
and you previously created a USB qube, then you may have to unhide your USB
controller from dom0:

  1. Open the file `/etc/default/grub` in dom0.
  2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
  3. If present, remove `rd.qubes.hide_all_usb` from that line.
  4. Save and close the file.
  5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
  6. Reboot.
"
here you unhide the usbcontroller so it is accessible from dom0.

Yes, IIRC the reason to do this is so AEM can read the secret file on the USB drive during each boot.


3) is unhiding my usb devices only required during aem setup? (i guess
so, but i thought, i would ask)

I think you refer to the option that suppresses USB devices during boot.
This should be turned off when booting AEM (not just installing) from a
USB stick so the verification sequence can read the secret from the USB
stick.

This is not mentioned anywhere in the documentation. I think it should.

It could use some explanation as to 'why'.

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee3b0bb8-b3e2-004e-5b7f-a0bc25705ced%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to