Question about the order of FDE steps with LUKS and LVM

umami_wasabi@lemmy.ml · 7 months ago

Question about the order of FDE steps with LUKS and LVM

umami_wasabi@lemmy.ml · edit-2 7 months ago

For secure boot bypasses I could only find BlackLotus is the only one capable to do this. I would like to have more details to support the claim “Secure Boot has been hacked in a minute.” Also, I would like the explanation on secure boot is a false sense of security and points to suport such claim as BlackLotus is the only publicly known malware to bypass secure boot.

However, I do firmly believe that there ia no reason that servers can’t use FDE as they are no differ than other typical computer.

EDIT: forgot the “boot” for secure boot

NaN@lemmy.sdf.org · edit-2 7 months ago

I think people tend to get hung up on where you store the key material for a server. Hardware token and TPM being two options that are less secure, but network bound disk encryption is supported as well as a combination. So you could have it require the network key as well as the matching PCRs from the TPM for the proper software load before it will unseal.

umami_wasabi@lemmy.ml · 7 months ago

Hardware token being less secure?

NaN@lemmy.sdf.org · 7 months ago

If I steal the server I have the token, unless someone is physically going to unlock the server every time you reboot which is not realistic.

Max-P@lemmy.max-p.me · 7 months ago

TPM has been bypassed. Researches found a lot of laptops where you can just attach wires to the TPM communication lines and you can just listen and wait for the TPM to spit out the key.

It’s a hardware attack so game over. But still worth doing especially on servers and desktops because then it’s still much more of a skilled attack than someone just stealing the drives. Especially servers with their front drive bays you can literally just pop the drive. And if the drive dies and you can’t erase it, it’s fine, you can throw it away and not care because it’s FDE so you can just throw away the keys.