Not even talking about top adversaries like FBI and etc but for a normal person who has been around your Qubes OS laptop. Is it possible that they can somehow install a backdoor on an encrypted unmounted drive?
sure they can.
The most trivial way:
more advanced if they compromise the firmware of the disk…
But if the whole disk is fully encrypted even the boot sector then how would that work? Because LUKS is “full disk encryption”
There needs to be an unencrypted (plaintext) part that can decrypt the rest of the disk so that the system can boot. You can have /boot on a USB stick or something similar that would be closer to you and easier to monitor.
Or you can set up something to verify the data on the disk before the disk is used (like Heads, etc.).
If they have access to the whole laptop, they could try install some hardware (keylogger, transmitter, etc.) or compromise various pieces of firmware around the laptop.
I would use tamper-evident seals on the laptop, like stickers so removing a part would break the seals (like the warranty stickers on products) to increase my security. Check them regularly. Use different types of seals as a redundancy.
1 Like
IANAC (I am not a cryptographer), but my understanding is that most FDE tools don’t use authenticated encryption, in which case there’s no strong assurance that your encrypted data hasn’t been replaced with malicious ciphertext that might exploit a hypothetical vulnerability somewhere in your system (e.g., in the FDE software that attempts to decrypt the malicious ciphertext or at some lower level).
This is part of the motivation for tools like AEM.
1 Like