Am 06.12.19 um 21:04 schrieb Chris Murphy:
swap being compromised. Case 2 is present day Fedora "full disk
encryption" which does not lock down the bootloader, /boot volume is
not encrypted, and thus the initramfs is vulnerable to a targeted
attack which could be used to deploy a key logger or whatever you're
worried about in Case 1.
Not encrypting /boot may be the default in the installer, but does not
mean, you can't go the full way.
You can simply activate /boot/ encryption. Grub will ask you for your
luks password while booting.
But pls see the other message, I won't repeat myself. But your right, It
really depends on the threadmodel you wanne counter.
My point is, make it as hard as possible, otherwise you way just think,
your safe, when your not.
sincerly,
Marius