**Amaelle Guiton 💾** @amaelle_g@mstdn.fr · May 14, 2017, 16:54

**Amaelle Guiton 💾** @amaelle_g@mstdn.fr · May 14, 2017, 16:54

Amaelle Guiton 💾 @amaelle_g@mstdn.fr

Yo Mastodon, petite question #opsec avant que j'aille torturer un nouvel ordi et/ou que j'investisse dans un nouveau gadget : la Yubikey ça pare à la "evil maid attack", ou ça vaut toujours le coup d'avoir le /boot sur une clé externe ?

**Harald Wagener** @oliof · May 14, 2017, 17:01

**Harald Wagener** @oliof · May 14, 2017, 17:01

@amaelle_g Booting from an external USB stick does not necessarily protect you from an Evil Maid attack, check https://mjg59.dreamwidth.org/35742.html for options using a time based one time password generator on your mobile phone (or build one with an arduino: https://hackaday.com/2012/07/11/time-based-one-time-passwords-with-an-arduino/).

**Amaelle Guiton 💾** @amaelle_g@mstdn.fr · May 14, 2017, 17:37

**Amaelle Guiton 💾** @amaelle_g@mstdn.fr · May 14, 2017, 17:37

@oliof What I don't get is: what can be tampered with when HD is fully encrypted & /boot is on an external USB stick?

**Harald Wagener** @oliof · 2017-05-14T20:38:26Z

Harald Wagener @oliof

@amaelle_g it would still be possible to intercept the passphrase by man-in-the-middling the bootup phase/putting something between your usb stick and the disk to unlock (for example by modifying the firmware on your mainboard). The TPM measuring method protects against that.

May 14, 2017, 20:38 · Web · 0 · 0