Can you elaborate on this a bit? I'm definitely not an encryption expert, but I was under the impression that full disk encryption on Linux with a sufficiently long passphrase was secure.
I personally use cryptsetup (dm-crypt/LUKS) on my laptop running Arch Linux just in case it were stolen. Are you saying that bypassing the bootloader with a live USB, etc, could give an attacker access to the data stored on the encrypted drive (outside of the boot partition, of course)? That seems like it would defeat the purpose of full disk encryption. Note: I understand that this is assuming that the attacker does not gain access to the system while it is up and running.
> Are you saying that bypassing the bootloader with a live USB, etc, could give an attacker access to the data stored on the encrypted drive (outside of the boot partition, of course)?
No, of course not. (Well, disregarding cold boot attacks).
But it gives access to data stored inside the boot partition, allowing for fun things like patching your kernel to send dm-crypt keys to http://fbi.gov/submit_key.cgi - makes sense now?
There are ways to also encrypt the boot partition.
There are various protection mechanism that rely on software alone (bootloader), software + hardware (TPM), software + firmware and software + hardware + firmware.
The question is always what do you want besides encrypting the main partition mainly in terms of integrity checks.
And older BIOS with a TPM or a modern UEFI with or without a TPM can provide additional integrity check for both the host configuration (BIOS/Device settings) as well as storage device specific integrity checks.
TXT basically allows you to measure various elements using the UEFI and more importantly for OEM's at least TXT has extensive DRM capabilities that can restrict the user from installing "untrusted" operating systems or making modifications to the host it self (e.g. chaging bios settings).
Beyond that TXT gives only a slight improvement as far as actual security goes against cold boot attacks as it allows you to take measurement when switching between S4 and S5 power states (soft off and hibernate) it still doesn't allow any measurement for S1-S3 states which are legacy sleep mode.
A modern UEFI with or without a TPM can ensure that the OS will not boot or will boot into recovery mode if any changes were made to the hardware or firmware configurations as well as if any tampering was done to the bootloader (secure boot keys) with a TPM you can be slightly more assured that no one tampered with anything since the TPM is a better cryptographic storage than the UEFI's ram/nvram.
Full-disk encryption protects against anyone who steals your laptop. However, if someone can get access to your laptop without your knowledge, and you subsequently use the laptop, they could install a hardware or software mechanism to obtain your passphrase.
Yep. TXT or TPM can cryptographically verify boot integrity but aren't magic pixie dust for passphrase recovery via hardware tampering. In the end your adversary can just put in a hardware keylogger between the laptop keyboard and the motherboard.
I personally use cryptsetup (dm-crypt/LUKS) on my laptop running Arch Linux just in case it were stolen. Are you saying that bypassing the bootloader with a live USB, etc, could give an attacker access to the data stored on the encrypted drive (outside of the boot partition, of course)? That seems like it would defeat the purpose of full disk encryption. Note: I understand that this is assuming that the attacker does not gain access to the system while it is up and running.