Hey all, as it was mentioned in the article, a significant remaining issue is being able to protect your initramfs and your cmdline options during boot while still keeping the convenience of auto-unlock. Current distribution implementations DO NOT, EVEN WITH SECUREBOOT ON, verify the integrity of the initramfs, which can be repacked to include malicious code that will execute during boot, potentially intercepting your LUKS key.There have been a number of attempts to solve this problem, but the most complete appear to be Mortar (a project I head) and safeboot.dev
I highly recommend taking a look at either of these projects if you want be able to improve both your convenience through auto unlocking, and security through broadened scope of audit.
https://github.com/noahbliss/mortar
https://safeboot.dev
No comments yet.