"The /boot partition is still unencrypted, so an attacker can tamper with it. Boot from a CD-R, forbid booting from hard drive (BIOS)."
Do you know a detailed instruction, how to boot a LUKS-encrypted system (even /boot partition is encrypted!) from CD-R?
Thank you.