Re: Password and key

[Andrei Borzenkov]

В Wed, 27 Aug 2014 13:29:17 +0200
"Garreau\, Alexandre" <address@hidden> пишет:

> Hello, I’m trying to set up a secure —the most I can— X60t with
> libreboot on it and GRUB as a payload. GNUtoo recommended me to set a
> password to GRUB to stop potential attacker to execute any code on the
> machine that could reflash the SPI chip, and then to encrypt the
> *entire* disk and decrypt it with GRUB only.
> 
> I can see his GRUB configuration on Parabola wiki, here:
> <https://wiki.parabolagnulinux.org/User:GNUtoo/laptop#Coreboot_Setup>. But
> I don’t understand what are “cryptdevice” or “cryptkey” args…
> 

They are unrelated to grub and interpreted by initrd of your
distribution.

> Also, he found a way to integrate the decryption key in the initramfs of
> Parabola so that he only has to enter it within GRUB, and not again
> while boot. I’d have two questions:
> 
> a) since I don’t know yet how to put the key in the Debian initramfs, is
> there a way to pass it as an argument to Linux instead? so that it’s
> more portable and I only have to set up correctly GRUB and not have to
> remember modifying the distro I install?
> 

Again - you have to ask your distribution. OTOH having key in plain
text (or even reversible encryption) laying on your disk somehow
defeats its purpose ...

> b) is there a way to set up the GRUB password and decryption key the
> same so that the GRUB password can be used by cryptomount so that I only
> enter one password once?
> 

Unfortunately, no - user authentication and cryptomount are not passing
any information. Could be idea for next release.

> Thanks for any help ^^

signature.asc
Description: PGP signature