Need help installing Proxmox with automatic decryption and multiple drives

LnxBil said:
Assuming you have auto-unlock enabled for your system, because that was the use case you described:
What would prevent an attacker for just overriding the boot argument with e.g. init=/bin/bash and booting right in your decrypted OS or just doing what your current initrd is doing and injecting what he wants? That is one of the known attack vectors in a physical access scenario. What about DMA-based attacks? Also very easy doable in the scenario with physical access. What about a cold-boot attack?

TPM should be used with additional authentication in order to mitigate those issues or you should offload the encrypted disk description to another machine so that an attacker with physical access will not be able to encrypt it.
Click to expand...
Whatever man, if the crackhead that breaks in and steals my machine is able to use one of those attacks - he can have the family photos. He's earned them.

Now, if I were storing nuclear launch codes it'd be a different story.
 
I was also interested in encrypting my Proxmox VE nodes and found that there are many threads spread across this forum. It took me a lot of work to find everything I needed, so I thought it would be a good idea to collect everything in one how-to guide.

I published it on GitHub, so it can be easily maintained, and I will update it as I finish testing with different filesystems and disk configurations. I'm not an expert, so I'm open to any recommendations or improvements to help fresh Proxmox and Linux users: HOW TO - Encrypt complete Proxmox node with LUKS
 
You must log in or register to reply here.
Top Bottom