Yo Mastodon, petite question #opsec avant que j'aille torturer un nouvel ordi et/ou que j'investisse dans un nouveau gadget : la Yubikey ça pare à la "evil maid attack", ou ça vaut toujours le coup d'avoir le /boot sur une clé externe ?
@amaelle_g Booting from an external USB stick does not necessarily protect you from an Evil Maid attack, check https://mjg59.dreamwidth.org/35742.html for options using a time based one time password generator on your mobile phone (or build one with an arduino: https://hackaday.com/2012/07/11/time-based-one-time-passwords-with-an-arduino/).
@oliof What I don't get is: what can be tampered with when HD is fully encrypted & /boot is on an external USB stick?
@amaelle_g it would still be possible to intercept the passphrase by man-in-the-middling the bootup phase/putting something between your usb stick and the disk to unlock (for example by modifying the firmware on your mainboard). The TPM measuring method protects against that.
@amaelle_g forgot to link to https://github.com/mjg59/tpmtotp