I skimmed, but agree with your analysis.
I have a systemd service which, on reboot, adds a luks key stored on
the encrypted disk to the unencrypted initrd, and on boot, removes
it. Basically:
sed -i .../path/keyscript/... /etc/crypttab
update-initramfs -u
One idea: a way to make a bitfolk level attacker to always have to go
through memory to find the key, but still do unattended reboots: reboot
using kexec from a kernel+initrd that is either in memory on the
encrypted disk.
Raptor engineering has designed hardware + software meant to help with
this problem,
https://www.integricloud.com/ . I've yet to try it, I
contacted them just a few days ago to try it but haven't heard back.
--
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF
https://fsf.org |
https://gnu.org
