There are several ways to protect a system:
a) firmware password - could only get rid by replacing the chip or spi flash (desktop systems in a 2nd visit: easy, laptops: very time consuming), often simpler: usb adapter for hdd. for extreme good hackers: modifiy uefi...
b) hdd password - if the implemention is right pretty save, maybe attackable in case of suspend as the firmware needs to be able to send it back to drive. very fast way to secure self encrypting ssds
c) hdd encryption, this can be done the "normal" way with uncrypted boot or with just grub unencrypted, like:
if you don't store the key onto the encrypted drive you have to enter it twice, but the most secure way. with uefi you need an extra boot partition or you use a small bootloader like gummiboot and store the linux kernel+initrd on the efi partition. would be as insecure as a normal boot partition because you can modify the initrd and place your own code in it. if you are able to replace the cryptsetup file you can do anything you want later like send the pw to you or store it in the boot partition. basically you could add a check script that validates the kernel+initrd after boot to show if the system got compromised. I saw example codes for that, better don't follow those instructions and be creative, but then you should exchange the pw really fast and reinstall, you lost if somebody is waiting outside for this to happen.
Btw. don't forget you can modify keyboards, record wireless keyboard data and lots of other things...
a) firmware password - could only get rid by replacing the chip or spi flash (desktop systems in a 2nd visit: easy, laptops: very time consuming), often simpler: usb adapter for hdd. for extreme good hackers: modifiy uefi...
b) hdd password - if the implemention is right pretty save, maybe attackable in case of suspend as the firmware needs to be able to send it back to drive. very fast way to secure self encrypting ssds
c) hdd encryption, this can be done the "normal" way with uncrypted boot or with just grub unencrypted, like:
if you don't store the key onto the encrypted drive you have to enter it twice, but the most secure way. with uefi you need an extra boot partition or you use a small bootloader like gummiboot and store the linux kernel+initrd on the efi partition. would be as insecure as a normal boot partition because you can modify the initrd and place your own code in it. if you are able to replace the cryptsetup file you can do anything you want later like send the pw to you or store it in the boot partition. basically you could add a check script that validates the kernel+initrd after boot to show if the system got compromised. I saw example codes for that, better don't follow those instructions and be creative, but then you should exchange the pw really fast and reinstall, you lost if somebody is waiting outside for this to happen.
Btw. don't forget you can modify keyboards, record wireless keyboard data and lots of other things...
Comment