Thanks for answering, but i still have some questions:
>> (in any case, i will use a pass phrase for aem.)
>>
>> 1) is there a difference between using an usb drive or using an
>> internal partition? (except of having a second device in case of an usb
>> drive)
>
> Yes. You should keep your AEM boot with you on a separate device. If you
> don't, an attacker could see your secret phrase by booting the system.
but isn't this the reason i am using a password for?
the aem data is protected by my aem pw.
after entering it, it is used to decrypt my secret + (somehow) check the
system integrity
if this fails, my aem pw is burned.
in case it succeeds, i enter my luks pw and the system data is encrypted.
at least this is how i understood it.
also if this was the case, why is there the option to leave it on the
internal disk?
from the aem readme
(
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
55-60):
"
You may want to use non-default password for the SRK key (see the
discussion in
the article referenced above), certainly if you want to save the sealed
secrets
to your internal boot partition. In that case you SHOULD NOT pass the '-z'
argument to tpm_takeownership.
"
This suggests it is safe to use an internal boot partition if a password is
passed to `tpm_takeownership`.
So what is the case?
> This is also important if you want AEM to warn you after a /remote/
> (non-Evil Maid) attack has affected your BIOS.
How does this work?
>> 3) is unhiding my usb devices only required during aem setup? (i guess
>> so, but i thought, i would ask)
>
> I think you refer to the option that suppresses USB devices during boot.
I refer to this (
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
110-120)
"
Note: If you choose to use a USB device (e.g., a flash drive) as your AEM
device
and you previously created a USB qube, then you may have to unhide your USB
controller from dom0:
1. Open the file `/etc/default/grub` in dom0.
2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
3. If present, remove `rd.qubes.hide_all_usb` from that line.
4. Save and close the file.
5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
6. Reboot.
"
here you unhide the usbcontroller so it is accessible from dom0.
>> 3) is unhiding my usb devices only required during aem setup? (i guess
>> so, but i thought, i would ask)
>
> I think you refer to the option that suppresses USB devices during boot.
> This should be turned off when booting AEM (not just installing) from a
> USB stick so the verification sequence can read the secret from the USB
> stick.
This is not mentioned anywhere in the documentation. I think it should.
- Joe
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!