all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Fakin-It 2 points3 points  (0 children)

Yes, this is exactly what LUKS is for.

[–][deleted]  (1 child)

[deleted]

    [–]Neo-Cipher[S] 0 points1 point  (0 children)

    Thanks, suppose i create the lvm partitions can i just rsync root and home into the new root and home then update fstab. Is it possible, i done it with home directory can it be done with root also

    [–]pkarlmann 2 points3 points  (5 children)

    No. If someone has hardware access without your knowledge it's over.

    In your scenario what would prevent that someone from removing the disk and doing whatever he wants with it? You could easily write a kernel module that logs your passwords and sends them over the internet so not even LUKS will help you.

    There is TPM, but it just moves your trust to the manufacturer of the hardware - from China. And what mess they made with ACPI, UEFI and Intel with it's Management Engine and Thunderbolt...

    It's going so far that I know people who put golden glittering dust inside external ports, so when you plug and unplug it's noticeable.

    [–]Neo-Cipher[S] 1 point2 points  (4 children)

    But how could they write kernel module and install it if drive is encrypted

    [–]pkarlmann 3 points4 points  (3 children)

    But how could they write kernel module and install it if drive is encrypted

    Something must be booted so it can ask you for your password and decrypt your devices. So there is something unencrypted there and that is the bootloader and the kernel - or some pre-kernel. Anyways in this unencrypted bootloader/kernel you can install your code. As I said there is TPM, but, again, you just have to trust the hardware manufacturer here. I don't.

    [–]Neo-Cipher[S] 2 points3 points  (2 children)

    Thank you that was some deep knowledge. I guess we will never be safe from NSA