Poor mans AEM

So AEM ist not available for every machine.

Assume you don’t have AEM on yours, what would you do to prevent an Evil-Maid attack?

The problem is, that unencrypted stuff is on your HDD/SSD and that unencrypted boot sector can be infected with malware. So why not remove this nasty part onto an USB stick that you can carry around and physically protect against adversaries?

Has anybody outsourced their boot onto a USB stick?

51lieal made a guide for detaching the header


Oh Thanks! Should have used the search before posting…

1 Like

Using a SED SSD you can do a couple of things:

  1. High security: Use sedutil to boot a tiny readonly partition that is used to unlock and make visible all of your readwrite partitions.

  2. Medium security: if your bios supports it, use password disk security on a SED that actually encrypts the disk key using the ATA password.

Both of these depend on the SED manufacturer’s security implementation of course.



Which is better than to trust your USB whatever, as I see it.

1 Like