19 Jan
2023
19 Jan
'23
2:50 a.m.
Arno Griffioen via TUHS <tuhs(a)tuhs.org> writes:
On Wed, Jan 18, 2023 at 08:38:40AM -0800, Larry McVoy
wrote:
Yes++ ... I did something simular with NetBSD a few years ago. I
booted a removable drive that asked for the passphrase to decrypt the
real root filesystem.. the drive was removed and stored separately from
the laptop when at rest. Today, I don't even need a removable drive any
more, a ramdisk is attached to the kernel and unpacks itself upon boot
and that asks for the passphrase. The root filesystem itself is more or
less completely encrypted. Not quite full end to end, but very close.
All you could really do is destroy the system, which may be good enough
for some, but getting the information off of the encrypted filesystem
would be hard.
--
Brad Spencer - brad(a)anduin.eldar.org - KC8VKS - http://anduin.eldar.org
Someone once told me that if they had physical
access to a Unix box, they
would get root. That has been true forever and it's even more true today,
pull the root disk, mount it on Linux, drop your ssh keys in there or add
a no password root or setuid a shell, whatever, if you can put your hands
on it, you can get in.
Until a few years ago, I would definitely agree. Done that regularly
in the past. (and worked on lots of network gear too...)
However..
Nowadays with a little effort you can make a bootable Linux machine that
uses either a passphrase or some external key/dongle/fingerprint/etc.
to unlock an encrypted root fs and additional filesystems.
If you don't have those credentials, then it's going to be pretty tricky to
access as you simply can't even access any of the encrypted filesystems to
start with.
Yes, you could probably get the initrd booted with a root shell and
then wipe the machine/disk to then do what you want, but the original
install is getting pretty hard to jump into with boot tricks these days.
Bye, Arno.