How To Reduce Your Vulnerability to Evil Maid Attack When You Have Disk Encryption

  1. Zero hard drive(s) with dd
  2. Mark drive(s) as raw lvm disk
  3. Make your vg and lv
  4. Make your encryption
  5. Make file system ext4
  6. Install Ubuntu
  7. Make sure you have SDcard inserted before you turn on computer
  8. When you get to disk partitioner in install, format SDcard ext2, all of it, the whole thing, except if you need a little bit for efi partition in which case the SDcard will have two partitions a grub/boot partition/mbr and efi.
  9. Mark your lvm volume as ext4 and use entire volume for /
  10. In the partitioner select SDcard for grub/boot partition/mbr/efi install.
  11. If you install grub/boot partition/mbr/efi to your lvm disk the computer will not boot as you overwrote the lvm.
  12. Now proceed with install and the grub/boot partition//mbr/efi will be installed to the SDcard and the OS will be installed to the encrypted lvm.
  13. If you need efi partition that also will need to be installed to SDcard.
  14. Reboot when installer says to.
  15. Check everything works.
  16. Shutdown computer and remove SDcard.
  17. Boot computer, it should fail to boot if it’s working right. The bios/efi should behave as if the hard drives were blank.
  18. Shut down computer and insert SDcard. Boot computer and it should now boot to encrypted password box and you should now be able to log in.
  19. Reboot and set a bios/efi admin and user password.
  20. Reboot and verify bios/efi passwords are required.
  21. Now when you leave the house always hide the SDcard or take it with you or if you have a laptop always put the SDcard in a separate backpack pocket as the criminal is unlikely to know the significance of the SDcard.

You can always have two or three SDcards that are dd clones of the key and you can update the clones whenever you have an update.  If you have to you can always make new boot cards from an known good computer.  The point is you never have to rely upon the idea that your stuck with the boot code Ubuntu installed.  Any suspicion that SDcard has been compromised you can make new SDcard boot key.  Give the keys to trusted family/friends or hide them around the house. Now you are much more secure against evil maid attack as any attempt to write to lvm disk will destroy encrypted lvm disk. Attacker will need the key which is your SDcard.  Yes of course attacker can use their own boot code and attempt an attack upon the disk.  However we are concerned here with boot code integrity.

If you are kidnapped and they demand key, I highly recommend that you give them the key as no data is worth the loss of human life.