Re: Booting encrypted drive from another device

> attacking the hardware or firmware is hard while attacking the > bootloader is easy Until software is abused in unintended ways to give access to firmware. Remember a computer virus that bricked many main boards in the late 90ties and the response and solution the industry provided to that?

Re: Booting encrypted drive from another device

> Ted Unangst: > > If an adversary gains possession of your hard drive and gives it > > back to you, throw it away. > > li...@wrant.com: > > The advice Ted gives is much more than simply correct, it can > > further be extended to "do NOT accept electronics from people > > you can't accept in

Re: Booting encrypted drive from another device

Ted Unangst: > If an adversary gains possession of your hard drive and gives it back to you, > throw it away. li...@wrant.com: > The advice Ted gives is much more than simply correct, it can further > be extended to "do NOT accept electronics from people you don't know": Now think about the

Re: Booting encrypted drive from another device

> If an adversary gains possession of your hard drive and gives it back > to you, throw it away. The advice Ted gives is much more than simply correct, it can further be extended to "do NOT accept electronics from people you don't know": OHM2013 Hard disks: More than just block devices

Re: Booting encrypted drive from another device

It doesn't have to be always thrown away. After some thinking, it could make a good entrapment technique. 1) create an unencrypted /boot volume and save a healthy offline (usb?) backup you can use for comparison 2) hashcheck (from a usb-boot environment) and then boot normally the system if

Re: Booting encrypted drive from another device

Theodoros wrote: > Fair point! > It would make it more complicated for an adversary, but not impossible. If an adversary gains possession of your hard drive and gives it back to you, throw it away.

Re: Booting encrypted drive from another device

Fair point! It would make it more complicated for an adversary, but not impossible. On 21 June 2016 at 10:36, ludovic coues wrote: > 2016-06-21 9:27 GMT+02:00 Theodoros : >> Well TPM is a closed hardware-bound system that does this before boot >> (as

Re: Booting encrypted drive from another device

2016-06-21 9:27 GMT+02:00 Theodoros : > Well TPM is a closed hardware-bound system that does this before boot > (as far as I know). I was asking more for an open (software) system > for doing so post-boot. > sha512 /boot If you do it post-boot, your screwed. If attacker

Re: Booting encrypted drive from another device

Well TPM is a closed hardware-bound system that does this before boot (as far as I know). I was asking more for an open (software) system for doing so post-boot. On 21 June 2016 at 10:23, Peter Hessler wrote: > fwiw, this is literately the point of TPM. > > > On 2016 Jun 21

Re: Booting encrypted drive from another device

fwiw, this is literately the point of TPM. On 2016 Jun 21 (Tue) at 10:19:21 +0300 (+0300), Theodoros wrote: :Could someone trust a bootloader by e.g. having an aide-like system on :boot, confirming its' authenticity as part of the boot process? : :Please share your thoughts. : : : :On 20 June

Re: Booting encrypted drive from another device

Could someone trust a bootloader by e.g. having an aide-like system on boot, confirming its' authenticity as part of the boot process? Please share your thoughts. On 20 June 2016 at 14:36, Ivan Markin wrote: > Bodie: >> What is that security reason worth of not using default

Re: Booting encrypted drive from another device

Bodie writes: > access then you are screwed. It is just matter of your importance to > attacker if it will be sooner or later. You briefly touch on it here > Attacks on CEO level mentioned in postthey have already laptop > made in China and there is plenty of examples how HW is screwed up >

Re: Booting encrypted drive from another device

On 20.06.2016 13:39, bootcr...@openmailbox.org wrote: On 20.06.2016 13:00, bootcr...@openmailbox.org wrote: Hello! I have recently decided to use full disk encryption on my openbsd boxes. I've managed to do so and it's working, however for security reasons I want to boot them from another

Re: Booting encrypted drive from another device

On 20.06.2016 13:00, bootcr...@openmailbox.org wrote: Hello! I have recently decided to use full disk encryption on my openbsd boxes. I've managed to do so and it's working, however for security reasons I want to boot them from another drive. What is that security reason worth of not using

Re: Booting encrypted drive from another device

Bodie: > What is that security reason worth of not using default full disk > encryption? Have a look at e.g. Evil Maid Attack [1]. One may want to bear a trusted bootloader with themselves and leave raw full-encrypted drive in some 'hostile' environment. [1]

Re: Booting encrypted drive from another device

On 2016-06-20 14:14, Stefan Sperling wrote: On Mon, Jun 20, 2016 at 02:00:20PM +0300, bootcr...@openmailbox.org wrote: Hello! I have recently decided to use full disk encryption on my openbsd boxes. I've managed to do so and it's working, however for security reasons I want to boot them

Re: Booting encrypted drive from another device

On 20.06.2016 13:00, bootcr...@openmailbox.org wrote: Hello! I have recently decided to use full disk encryption on my openbsd boxes. I've managed to do so and it's working, however for security reasons I want to boot them from another drive. What is that security reason worth of not using

Re: Booting encrypted drive from another device

On Mon, Jun 20, 2016 at 02:00:20PM +0300, bootcr...@openmailbox.org wrote: > Hello! > > I have recently decided to use full disk encryption on my openbsd boxes. > > I've managed to do so and it's working, however for security reasons I want > to boot them from > another drive. > > Example: > I

Booting encrypted drive from another device

Hello! I have recently decided to use full disk encryption on my openbsd boxes. I've managed to do so and it's working, however for security reasons I want to boot them from another drive. Example: I have computer with encrypted hard-drive(wd0). To boot it, I want to insert a USB-flash