For those of you who are using linux: Are you using secure boot? I.e. is your bootloader configured to only decrypt your disk and boot your OS, while blocking all “booting from USB stick” and such?

I’m asking because i’m considering a very specific attack vector, through which a sufficiently skilled agent (e.g. FBI, CIA) could install a keylogger into your OS and get access to your sensitive data that way, even when your disk is encrypted and without your knowledge.

  • CaptainBasculin@lemmy.dbzer0.com
    141·
    2 days ago

    Unless you run your mobo with a password (no one really does), the attack vector always exists by disabling secure boot physically; and even the BIOS password could be reset through ways so I don’t really see the point in secure boot.

    • Liketearsinrain@lemmy.ml
      2·
      19 hours ago

      You can have it set so it fails to boot with secure boot disabled. Not part of my threat model but AFAIK it’s default even for Windows FDE.

    • gandalf_der_12te@discuss.tchncs.deOP
      14·
      2 days ago

      Secure boot can be made secure in principle. The internal disk is encrypted, the bootloader stores the cryption key internally. When you change which OS is booted, the bootloader refuses to give out the key or deletes the key altogether. For one, you would immediately noticed that your OS was tampered with. For two, even when an alternative OS manages to boot, it can’t read your data.