So AEM ist not available for every machine.
Assume you don’t have AEM on yours, what would you do to prevent an Evil-Maid attack?
The problem is, that unencrypted stuff is on your HDD/SSD and that unencrypted boot sector can be infected with malware. So why not remove this nasty part onto an USB stick that you can carry around and physically protect against adversaries?
Has anybody outsourced their boot onto a USB stick?
51lieal made a guide for detaching the header
Used device in testing and confirm is worked :
windows vmware (host using old pc) and my laptop.
both are using uefi.
Keep in mind that below are disk i used in the tutorial, you can use 2 flashdrive (1 boot, 1 header) + 1 hdd or whatever you want.
/dev/nvme0n1 = system
/dev/sda = flashdrive
Please watch out any space, slash, periode in command issue / files IT REALLY MATTER
After booting into installation in language section, press ctrl + alt + f2
—# WARNING CONFIRM YOUR DISK FIRST BEF…
Oh Thanks! Should have used the search before posting…
Using a SED SSD you can do a couple of things:
High security: Use sedutil to boot a tiny readonly partition that is used to unlock and make visible all of your readwrite partitions.
Medium security: if your bios supports it, use password disk security on a SED that actually encrypts the disk key using the ATA password.
Both of these depend on the SED manufacturer’s security implementation of course.
Using a SED SSD
Which is better than to trust your USB whatever, as I see it.