check out GRUB_ENABLE_CRYPTODISK; in short, you can encrypt everything but grub and it's more practical than /boot-on-stick
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
Conversation
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
an attacker with write access can still edit my grub, but it requires more knowledge and has a smaller attack surface
1
I've had trouble with boot sticks in the past because I forgot to put them in during initramfs updates, too many moving parts
1
1
but with only grub on the stick, it only breaks if I don't take care during incompatible grub updates, of which there are few
1
1
just google GRUB_ENABLE_CRYPTODISK I think - my only twist on it is that I put a keyfile in the initramfs