On 04/27/2015 12:43 AM, The Gluglug wrote: > > > On 21/03/15 07:49, Beni Keller wrote: >> Hey all, > >> I followed this tutorial to get Trisquel on full disc encryption: > >> http://libreboot.org/docs/gnulinux/encrypted_trisquel.html > >> The problem now was that every time I boot I had to enter three >> passwords. The Grub password first and then twice the encryption >> password. So to reduce this to two passwords, I figured I don't >> have to password protect the Grub entry that boots Trisquel on the >> encrypted partition, since password protection should only keep >> someone from booting my laptop from usb. So I edited the menu entry >> in grub.cfg like this: > > >> menuentry 'Load Operating System' --unrestricted { ... > > >> So my question: Is there a reason this isn't included in the >> tutorial? Did I somehow weaken the security of my system doing >> this? If so, what's the possible attack that's prevented by >> password protecting every grub entry? > >> Thanks, > >> Beni > > > Press E on that menuentry, then modify stuff, and press F10. Does it > work without entering a password? If so, then someone could boot USB. >
No, all this does is allowing to boot said entry without a password. To boot any other entry or to modify any entry you need the password. I don't see any way to boot from USB. (Unless you remove the hard drive and replace it with similarly configured USB drive. But that won't help because already grub will fail to decrypt this drive with your passphrase. So there is no way to intercept the passphrase.)
