Current: Upon powering up, the grub screen shows, listing Qubes OS.
Desired: Upon powering up, no identifying information is presented until after cryptosetup has authenticated the password for disk encryption.
Many of us are drawn to the secure nature of Qubes. As such, we are also the type who would prefer that someone booting up our machine would be unable to gain any identifying information about the OS we are using.
ParrotOS does a great job by not displaying any information until after cryptosetup has been asked and authenticated. Then grub is presented.
Is there some way that we can manage the boot process so that no identifying information is presented before decryption?
It would also be amazing if users could choose their own splash screen at the beginning. That way, it would be possible to obfuscate by having a splash screen of Windows, Mac, or other OS.
In this threat model, Tails may be more adequate. It doesn’t have the same level of security but if this is a real threat for you, it may justify decreasing your security in other areas. With tails it leaves nothing on your current operating system and all you need is a USB stick that you can hide / dispose of, when needed without leaving a trace, generally.
As @anon22772651 explained, in order for an operating system to load, it needs some unencrypted section. A forensics expert will look at it and be able to figure out what OS it is. But you can mitigate this threat by customizing the bootloader entries (what you refer to as the operating system choices). For that look into “modifying grub entry names” on a search engine or the forum. But be aware this is a bit advanced.
There is even more advanced stuff you can do of course. This includes things like a detached encrypted boot and header. I haven never tried those, do I can’t recommend them but if you have the time and the skill, then they could be a great exercise. But be aware that these are very advanced.
Thanks so much for the links. I’ll take a look at those.
I think my threat model has to do with having onlookers either at work or in a public place. When I boot up, anyone in eyeshot can see QUBESOS from anywhere in the room.
Great advertising aside, the simple fact that I have an unusual boot screen will lead most people to inquire, let alone those who may know what it is. Curiosity is sometimes the enemy. If someone sees that I have QubesOS on my machine, it will lead them to wonder if I’m a good target–after all, if I have that much security, I must have juicy goods.
The same answer will apply to all suggestions that relate to “security theatre”:
Yes, they can be done, there is a place for them, and they would be nice.
No, they will not protect you against anyone who “knows what they’re doing”.
This can be done if you are ok with getting your hands dirty with the initramfs and are familiar with plymouth.
This would require the kernel and initramfs to be loaded before the bootloader. I’ve just booted ParrotOS and it followed the exact same boot order as QubesOS. Are you sure about this?
On that note, would definitely be cool if there was a way to do that, without involving the BIOS
This can definitely be done by gutting all the QubesOS stuff from the GRUB config.
Good for anyone who presses the power button on your machine, looks at it for a few seconds, thinks “Well, this is nothing special…” and turns it off again.
Bad for anyone who says “Right, let’s clone the boot drive, search for keywords in all unencrypted files, and if that doesn’t show anything useful, hash the kernel and initramfs and see if it matches any distro kernels”
