On 2016-11-19 11:54, Andrew David Wong wrote:
On 2016-11-16 13:31, Fred wrote:
A good time to ask if Qubes encrypts /boot in it's LUKS setup. I've
not
checked myself.
By default, Qubes does not encrypt /boot. Traditionally, that's
because doing so would render the
system unbootable. However, that's no longer true with newer versions
of GRUB, which are now capable
of booting from encrypted block devices. So, it's worth considering
for Qubes. Tracking:
https://github.com/QubesOS/qubes-issues/issues/2442
Yup. I know these days GRUB supports LUKS and things like mdadm, LVM etc
so the days are hopefully gone since people need to worry about the
position of /boot on disk or which esoterica are required to boot (and
any intitrd issues).
I guess the bigger question is if it actually provides any real added
protection? Someone can still re-install GRUB by booting from other
media and reinstalling GRUB. If the authenticity of /boot can also be
verified then maybe it does? But once physical access is gained the game
is over I guess?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a4d7d1ec901a8457f54936b2e27685b7%40email.gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.