[jvanderbot]

TFA: > If your hardware is vulnerable, mitigation can be achieved through the use of a PIN.

Or, encryption passphrase on boot.

But in that case, you just need two accesses: Add h/w keylogger, read h/w keylogger.

You can at least make it somewhat more difficult by using ubsguard to prevent the most obvious keylogger ingress points.

[maxcoder4]

And the usbguard must be installed in the initramfs, not the main system, right? Because the fde password is provided before most of the system loads.

[jvanderbot]

I'm not sure. I know I've been unable to enter my encryption pass word because I had a new keyboard