On 2014/03/06 09:15, Damien Miller wrote: > On Wed, 5 Mar 2014, Stuart Henderson wrote: > > > What are you trying to protect against? > > > > If somebody has physical access, they can presumably replace the > > kernel/initramfs with a trojanned version ... > > It protects against stolen machines, but not active attacks. > > Our cryptoraid doesn't protect against active attacks either - the > attacker can replace the bootloader with something that phishes your > password. The closest we could get to fixing that would be to use the > TPM on some x86 systems, but there are ways around that too... > > -d >
If that's the use case, then a custom rc script or ramdisk kernel that lets you ssh in, unlock most of the disk, and start other daemons might be enough.. If it's desirable to protect /etc, the majority of files in there could be copied over to ramdisk after mounting (or a partition on the protected disk could be mounted over the minimal /etc)..