|
|
|
|
|
|
by alexeldeib
1020 days ago
|
|
|
Yeah, I recently went down this path. It’s all doable but frankly I’m not a nation state target and getting locked out after a kernel update or similar would be far more annoying. Instead I’m leaning toward separate boot and root disks, with a root/data disk encrypted with LUKS with a detached header. dm verity on a read only root with a separate data partition also seems simple/appealing. Of course, these all allow attacks full secure boot/tpm/etc avoid, but it’s a balance. |
|
|