-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 20/05/15 19:04, Beni wrote: > >> >> Exactly. That is why I recommended against using --unrestricted. >> They can replace your HDD, but the chances of them being able to >> replicate a correct GPG signature is very hard. > > Ah, ok. But there are still two things I don't don't yet fully > understand. > > 1. What I don't understand yet is how you'd get a hard drive to > accept the exact same passphrase I use to unlock my hard drive. If > you don't achieve this I'll notice that you replaced the drive the > second I put in my passphrase and it fails to decrypt the drive. > > 2. What could you achieve by replacing the hard drive? My data is > on the original hard drive. If you replace the drive, you get > basically a new device containing no valuable information. > > Regards, > > Beni I'm talking about protecting the system from being modified in any way, outside of the OS. For instance, by booting another HDD you might be able to re-flash, with firmware that logs keys and stores them for later retrieval. You would not leave your HDD in, you'd put the old one back. Having a password in GRUB (payload) protects against this, making external flashing necessary. Of course, there are also ways to write-protect the flash so that you always have to flash externally, but there are other things that someone can do. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJVYa3SAAoJEP9Ft0z50c+UxkMIALgcn68oqyJ6/38MUYZMaD0L aJABRx776wBpfO9lE8AWcXsVX4HvFCopC75G7W0Td7CmmG90KPXjXb/kjbo8zqZb X8Cly3okkNBp+tKUxKavRfqu0d6e9EfxD5ZNT9Upb6QuT/teHDJq/MwBttiwRXdT 5/9QrPOyx7x4kCq0AV1aSeF1sEPmJMv7K1+uhzfBtP6kkccTw1j8wYmQSeqWmsJR Mg5zgpripes4qsJrLqZb9HO2kurF0yamWIp21A8Lah9mPkUa+5/W3ufbtgckFXVU X5NIbl5pk4np8IoMKcX1tC8zR1LJ6II/Ah5nyKKxFfupV4gsIZlx24TngKn1MSk= =sO2N -----END PGP SIGNATURE-----
