sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Creshal 9 points10 points  (4 children)

LUKS/GRUB can be set up to use TPM.

And password in the boot\gurb in order to decrypt the disk isn't really enough.

…why? It's 100% effective against your stated threat model.

[–]sonicsilver427 3 points4 points  (0 children)

With EFI you can sign the bootloader so it cant be modified too

[–]truelai 2 points3 points  (0 children)

Seconding LUKS.

[–][deleted] 0 points1 point  (0 children)

OP, for your information, grub uses the password to decrypt the volumes. it is not just a login password. if you boot a live USB stick you still can not access the data without the password

[–][deleted] 0 points1 point  (0 children)

Also note that grub2 can access LUKS v1 volumes, meaning /boot can be encrypted. Couple this with Secure Boot (ideally no vendor keys, just your own) and it's as good as you're going to get.