Obviously, with a state adversary, you’d be fucked.
But how about, if I want to prevent a douchbag sibling or roommate from replacing the bootloader of an encrypted laptop, with a malicious version they got from some dark web site as a “prank”? Assuming you can’t just lock the device in a safe.
With phones, they all have verified boot.
But with Windows + Veracrypt, an attacker can just replace the Veracrypt Bootloader.
Is there an alternative? Or do I just have to use Bitlocker? (again, non-state adversaries)
I don’t know. How strong are these maids?
They’re skatin’
As another poster mentioned, QubesOS with anti evil maid will work, but that’s the defense against state actors too and is overkill for this threat model.
BitLocker or any FDE using SecureBoot and PCR 7 will be sufficient for this (with Linux you also need PCRs 8+9 to protect against grub and initramfs attacks). Even if they can replace something in the boot chain with something trusted, it’ll change PCR 7 and you’d be prompted to unlock with a recovery key (don’t blindly enter it without verifying the boot chain and knowing why you’re being prompted).
With Secure Boot alone, the malicious bootloader would still need to be trusted (something like BlackLotus).
Also make sure you have a strong BIOS password and disable boot from USB, PXE, and anything else that isn’t the specific EFI bootloader used by your OS(es).
I use QubesOS with anti evil maid. U have a usb u carry with u (and ensure the safety of) and that verifies the PC which then proceeds to boot itself.
Does that mean you lose access to your whole computer and all your data if you lose the USB drive? That sounds like a nightmare
U can make multiple so I got a backup in a secure location.
Decoy laptop.
Nitrokey e.g.
