Does using LVM encryption on Kali Linux install fully encrypt the bootloader as well? I'd assume that if the disk is fully encrypted that no one would be able to access or get your password or install malicious script to do so?
Asked
Active
Viewed 616 times
2 Answers
1
The bootloader won't be encrypted, because you first need to load the LVM service.
A probably possible way to install malicious script is to corrupt the code that will prompt you the password, but can't access to your password directly
However, you can still encrypt /boot using LUKS, and use LVM over LUKS
Have a look at this link from ArchLinux, yet doable on Kali.
Furthermore, you can use GRUB from a USB key, that will load the encryption module and boot from the encrypted /boot
That's a bit overkill, but I hope it answers your question !
Sayardiss
- 79
- 3
0
When you boot your encrypted machine you must have a software able to ask you for the password and decrypt enough data to continue the booting process.
Obviously, this software must be in clear text to be executable, it cannot be encrypted or this would create a chicken or the egg dilemma.
There is indeed an attack taking advantage of this which is called the Evil Maid attack where the genuine LUKS prompt asking for the hard-disk encryption password is replaced by an identical prompt generated by a malicious software which will collect your password and somehow store it or send it to the attackers.
Some software may try to detect such modification once the computer is booted, but this may be already too late as the password may already have been sent through the network. Some other methods involving a TPM chip allow a more early and effective protection.
WhiteWinterWolf
- 19,082
- 4
- 58
- 104