Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove mention of encrypted boot #1850

Merged
merged 1 commit into from
Oct 22, 2022
Merged

Remove mention of encrypted boot #1850

merged 1 commit into from
Oct 22, 2022

Conversation

dngray
Copy link
Member

@dngray dngray commented Oct 22, 2022

Closes: #1514

I'm not a fan of encrypted boot, or suggesting it for a number of reasons.

  1. It's slow, as decryption happens without acceleration features like AES-NI, SSE, etc
  2. Only LUKS1 is supported unless you use a patch/development branch, that means compiling it yourself, this is not likely to be compatible with distribution upgrades
  3. It doesn't relate to privacy, private data is not stored in /boot
  4. It does not provide authentication, ie any form of tamper protection ie if the content of /boot is in any way predictable, an attacker can modify the volume to contain whatever they want
  5. Better off would be to write a TPM guide that uses systemd-cryptenroll, and later systemd-measure. Use TPM to make measurements a requirement now for Windows 11. For more info about that see Utilization of TPM with PIN systemd-cryptenroll #1855

See "Summary of Resources and their Protections" of https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html

@dngray dngray temporarily deployed to preview October 22, 2022 02:50 Inactive
@github-actions
Copy link

github-actions bot commented Oct 22, 2022

🎊 PR Preview 0a98bcb has been successfully built and deployed to https://privacyguides-privacyguides-org-preview-pr-1850.surge.sh

🕐 Build time: 71.107s

🤖 By surge-preview

@dngray dngray force-pushed the pr-remove_encrypted_boot branch from 5fdb9bf to 0a98bcb Compare October 22, 2022 07:06
@dngray dngray temporarily deployed to preview October 22, 2022 07:06 Inactive
Copy link
Member

@blacklight447 blacklight447 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Loosk good

@dngray dngray merged commit 0a98bcb into main Oct 22, 2022
@dngray dngray deleted the pr-remove_encrypted_boot branch October 22, 2022 07:39
@privacyguides-bot
Copy link
Collaborator

This pull request has been mentioned on Privacy Guides. There might be relevant details there:

https://discuss.privacyguides.net/t/v2-28/8091/1

IkelAtomig pushed a commit to IkelAtomig/privacyguides.org that referenced this pull request Nov 11, 2022
IkelAtomig pushed a commit to IkelAtomig/privacyguides.org that referenced this pull request Nov 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Check LUKS2 Encrypted boot
3 participants