On 06/06/2020 21:12, Rich Freeman wrote:
To do this I'm just going to store my keys on the root filesystem so that the systems can be booted without interaction. Obviously if somebody compromises the files with the keys they can decrypt my drives, but this means that I just have to protect a couple of SD cards which contain my root filesystems, instead of worrying about each individual hard drive. The drives themselves end up being much more secure, because the password used to protect each drive is random and long - brute-forcing the password will be no easier than brute-forcing AES itself. This doesn't protect me at all if somebody breaks into my house and steals everything.
On the other hand, if you're always present at boot, stick the keys on a USB that has to be in the laptop when it starts. If that's on your (physical) keyring, chances are it won't be compromised at the same time as the laptop - and hopefully the attacker won't realise it's needed for boot :-)
(yes I know - security through obscurity is bad as your MAIN defence, but a few layers on top of something secure just makes life more of a pain for an attacker :-)
Cheers, Wol