Fixing the dual password boot prompting: Is this a security hole?

linuxStudent11 · 02-27-2016, 07:19 PM

I recently installed Jessie on a laptop (w/UEFI) and discovered the poor user needed to type the passphrase twice while booting. So I found a website that suggests modifying initrd.img-* by inserting a second passphrase into initrd.img-*...and using another luks slot. The passphrase is in the init image.
Now when it wakes up it instantly asks for a passphrase. Then it doesn't ask a second time because it already has the new binary passphrase already loaded into initramfs.
So my question is: does the first password unencrypt the boot image somehow, or does the initramfs image contain the unencoded alternate password (in cleartext) I included, ready for hacking?
I thought I'd get an outside opionion. I'm not done reading the author's technical tutorials yet.

Rinndalir · 03-01-2016, 06:28 PM

What happens before you are asked for the 1st password? Then what happens between 1st and 2nd?

linuxStudent11 · 03-01-2016, 08:28 PM

Thanks for the reply. I've sort-of answered my own question by further reading.
In answer to YOUR question: Its different for different systems. On a UEFI installation, nothing happens before asking for the first password (given the way I installed it).
But on a conventional unencrypted BOOT directory and a luks encrypted lvm set, it loads multiple drivers...but its still before the menuentry lines in grub.cfg.

I answered my own question when I read that initrd.img and the rest of the files live in the encrypted directory(s). Only the grub/ stuff is in the clear.
Which forces me to wonder. The "Evil Maid" attack is still possible. Its just a little different. Just modify the cleartext grub.cfg to load "EvilMaid.mod" and we're back where we started.

So I'm forced to ask: What additional security is actually accomplished by moving the linux kernel etc. into the encrypted volume set?
If someone gains access to the machine and they poison it with "EvelMaid.mod", a modified grub will still load it. And EvilMaid.mod will send your keystrokes to whomever.
Otherwise, the encryption's the thing. If you can detach the drive, encrypting the /boot won't matter.
I think even Director Comey has figured that out.
I'm concluding that although I admire the author of the webpage mentioned above, I'm doubting his creation is more secure than the ordinary encrypted / directory.
...unless I'm missing something important.