check out GRUB_ENABLE_CRYPTODISK; in short, you can encrypt everything but grub and it's more practical than /boot-on-stick
an attacker with write access can still edit my grub, but it requires more knowledge and has a smaller attack surface
-
-
I've had trouble with boot sticks in the past because I forgot to put them in during initramfs updates, too many moving parts
-
but with only grub on the stick, it only breaks if I don't take care during incompatible grub updates, of which there are few
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.