Comment by NekkoDroid

Comment by NekkoDroid 6 days ago

Drive encryption is only really securing your data at rest, not while the system is running. Ideally image based systems also use the kernels runtime integrity checking (e.g. dm-verity) to ensure that things are as they are expected to be.

cwillu 5 days ago

“ensure that things are as they are expected to be” according to who, and for who's benefit? Certainly not the person sitting in front of the computer.

Reply View 6 replies

NekkoDroid 5 days ago

The system owner. Usually that is the same entity that owns the secure boot keys, which can be the person that bought a device or another person if the buyer decides to delegate that responsibility (whether knowingly or unknowingly).
In my case I am talking about myself. I prefer to actually know what is running on my systems and ensure that they are as I expect them to be and not that they may have been modified unbeknownst to me.

Reply View | 3 replies
- direwolf20 5 days ago
  
  I don't think this is right. Usually, the entity that owns secure boot keys is a large tech corporation which paid to install their keys on all new computers.
  
  Reply View | 2 replies
  
  marcthe12 5 days ago
  
  You can enroll your own and LP goal is basically based on the assumption that you can enroll your own
  
  Reply View | 1 reply
  
  egorfine 4 days ago
  
  Until you cannot.
  
  Reply View | 0 replies
rcxdude 5 days ago

This is only the case if the person sitting in front of it does not own the keys.

Reply View | 1 reply
- cwillu 5 days ago
  
  And from this you can safely conclude that users will be under severe pressure to surrender them.
  
  Reply View | 0 replies