I was thinking more of like a Tamper-Resistant Boot Drive with a computer being Full Disk Encrypted, And I basically phisically carve my signature into the Hardware-Encrypted drive and always check to make sure its mine and that it hasn’t been replaced, then I unlock it in Read-Only mode, then I plug into a computer to select the bootloader on the USB drive to turn on the computer.
Basically its a Evil-Maid-Resistant setup.
Of course, someone with actual NSA or FSB skills are gonna get in, but its just so the average script-kiddie can’t just download some tampered bootloader online and easily replace the bootloader.
And also I can store like a Linux Distro and Windows installation media on there and know its its much more difficult to tamper with.
Someone who doesn’t need much experience can access the hard drive / SSD and replace the bootloader.
I know it probably doesn’t happen often, but this is more of a personal fear thing, I have trust issues with people.
Living alone is too expensive and thus I either have to stick with family, or split rent with random strangers as roommates, not to mention, some landlords can be creepy and do weird things. I don’t have trusted friends who can like live with me as a roomate and split the rent.
So anyways, I’m with parents, and I want evil-maid protections for peace of mind, since I can’t afford to live alone. (I mean like they are not dangerous criminals or anything like that, they’re just fucking nosey and I don’t like to find out how much do they want to spy on my online activities).
For phones, its already too locked-down and hard to modify so I’ll just trust the verified boot to do it’s job.
For computers, its too easy to edit the bootloader on the disk. So I think putting the botloader on such an encrypted USB and put it in read-only mode would protect against tampering with the bootloader.
I probably sound paranoid af right?
Basically, my threat model prioritizes preventing weirdos fucking with my electronics more than anyone else.
Someone who doesn’t need much experience can access the hard drive / SSD and replace the bootloader.
…
I probably sound paranoid af right?
Well, all your points are fair but IMHO the intersection does not exist.
Namely, yes, some people living with you might want to access your files somehow… but able to change the bootloader? Even knowing what a bootloader is? I don’t know if your friends or parents are ICT professionals but otherwise, I would be that’s not plausible.
Consequently I do recommend you protect yourself, yes, but IMHO the threats are much MUCH lower than that. Namely… maybe checking the last open files or even “just” your browser history is what a typical person might consider, not changing a bootloader.
So… I would personally start with that, e.g. encrypted disk yes, with strong password or even physical token login, e.g. NitroKey or YubiKey. They should never have access to your unlocked computer but once it’s locked, in theory there should be no practical way to access files. I insist on the practical word because… I wouldn’t imagine parents or flatmates to have access to a cluster of machines to crack encryption.
I was thinking more of like a Tamper-Resistant Boot Drive with a computer being Full Disk Encrypted, And I basically phisically carve my signature into the Hardware-Encrypted drive and always check to make sure its mine and that it hasn’t been replaced, then I unlock it in Read-Only mode, then I plug into a computer to select the bootloader on the USB drive to turn on the computer.
Basically its a Evil-Maid-Resistant setup.
Of course, someone with actual NSA or FSB skills are gonna get in, but its just so the average script-kiddie can’t just download some tampered bootloader online and easily replace the bootloader.
And also I can store like a Linux Distro and Windows installation media on there and know its its much more difficult to tamper with.
Does this work against the threat?
Can you provide me with an example of that threat with which setups are affected by that?
I mean with physical access.
People living with you.
Or when you want to travel (domestically).
Someone who doesn’t need much experience can access the hard drive / SSD and replace the bootloader.
I know it probably doesn’t happen often, but this is more of a personal fear thing, I have trust issues with people.
Living alone is too expensive and thus I either have to stick with family, or split rent with random strangers as roommates, not to mention, some landlords can be creepy and do weird things. I don’t have trusted friends who can like live with me as a roomate and split the rent.
So anyways, I’m with parents, and I want evil-maid protections for peace of mind, since I can’t afford to live alone. (I mean like they are not dangerous criminals or anything like that, they’re just fucking nosey and I don’t like to find out how much do they want to spy on my online activities).
For phones, its already too locked-down and hard to modify so I’ll just trust the verified boot to do it’s job.
For computers, its too easy to edit the bootloader on the disk. So I think putting the botloader on such an encrypted USB and put it in read-only mode would protect against tampering with the bootloader.
I probably sound paranoid af right?
Basically, my threat model prioritizes preventing weirdos fucking with my electronics more than anyone else.
Well, all your points are fair but IMHO the intersection does not exist.
Namely, yes, some people living with you might want to access your files somehow… but able to change the bootloader? Even knowing what a bootloader is? I don’t know if your friends or parents are ICT professionals but otherwise, I would be that’s not plausible.
Consequently I do recommend you protect yourself, yes, but IMHO the threats are much MUCH lower than that. Namely… maybe checking the last open files or even “just” your browser history is what a typical person might consider, not changing a bootloader.
So… I would personally start with that, e.g. encrypted disk yes, with strong password or even physical token login, e.g. NitroKey or YubiKey. They should never have access to your unlocked computer but once it’s locked, in theory there should be no practical way to access files. I insist on the practical word because… I wouldn’t imagine parents or flatmates to have access to a cluster of machines to crack encryption.