> I think it's impossible to create trusted bootloader which would not be > affected > by physical attacks, see here: > > http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html > > Thus even bootloader would be able to open softraid crypto device, it could > be > tampered. > > I'm going to create a usb stick with minimal installation on which I will > carry checksums > of files in '/' and I'm going to scan '/' for tampered files before "normal" > boot. > I do not know any better solution. I don't know if there can be some other > shit which > could somehow get my passphrase for softraid (bios, mbr...)? Is it > theoretically > possible?
I think a hard disk should be crypt with Deniability. When you boot from CD or usb-stick and dislocate them, no one should be able to proof that the disk is crypt. I am not an expert in this, so please correct me if I am wrong, this scenario is attackable from bios side, or if the attacker reads the key from memory (i.e. just booting with a minimal system from CD...) Also I read about cooling and removing the ram to read the key :D How to proof your bios? wassent there just last weeks a big company in the IT news with mallware in their bios? I don't know if it make sense/is possible, but why dont build a system where the keys are stored in that part of the ram, which is used by the bios when booting from cd or usb? So that a least a part of the key will overwritten during every boot. That the attacker is forced to remove ram or bios. Andreas
