Full disk encryption with boot on usb stick.

kajman · 2012-09-13 08:37:41

Hi,

after reading this very interesting article (link here) about going past "full disk encryption" with unencrypted boot I started to think about a better solution.

I know that grub2 can boot directly from live cd. So here's an idea:
- keep boot partition only on an usb stick, and boot an minimal system iso kept on this usb stick,
- from that iso decrypt main partition which contains whole arch system (along with /boot partition with newest kernel etc)

Idea with iso has an advantage that we could easly calculate and show its sha/md5 sum every time system boots (after a while one would memorize it easyly and know if this iso was modified or replaced with some nasty one). Then one could be certain that no one will ever gain access to his (turned off) pc and data. That iso could be backed up anywhere as it contains no private data.

What do you think? Would this be possible? I'm not an expert at grub (or grub-legacy) so I would be grateful for any advice how to get started.

(this is a sort of a followup question to this post of mine)

cheers,
kajman

DSpider · 2012-09-13 10:04:44

GRUB Legacy support has been dropped from Arch Linux: http://www.archlinux.org/news/grub-lega … supported/

If you plan on checking the ISO with tools installed on the ISO, then it's not a very good plan. Because someone can tamper with those tools, and make them return whatever hash you memorized - if you can even memorize it, that is. Speaking of which, most people can't memorize more than 7-9 numbers and you plan on remembering the entire SHA1/MD5 hash?

Full disk encryption is a myth. If someone really wants to get to your files (e.g. the government), they will.

- break into your home (a warrant can easily be obtained if there are plausible causes), place a small video camera aiming at the keyboard and boom! They now have your password and any other method you're using to boot your computer.
- break into your home, open up the computer and place a small keylogger-like device on one of the motherboard's additional USB ports, that reflashes the BIOS in such a way that no OS can detect it. You won't even know it's there.
- heck, they don't even have to break in. There's a podcast called SecurityNow that described a method to bounce back fricken lasers from windows and walls from miles away to "listen in" on keyboard strokes. The algorithm was released as open-source and it was freakishly accurate (somewhere around 90%).

http://berkeley.edu/news/media/releases … _key.shtml (from 2005, I imagine that it was improved by now)
http://www.pcworld.com/article/161166/a … n_air.html

Be paranoid, but not too much. My advice is to just use a TrueCrypt container for whatever important information you may have. If this is a laptop we're talking about, I probably wouldn't encrypt it, if I ever want it back: http://www.youtube.com/watch?v=U4oB28ksiIo

Last edited by DSpider (2012-09-13 10:06:23)

kajman · 2012-09-13 11:00:32

Thanks, I know about grub legacy.

About the sha1 - i thought of memorizing like 3 first and 3 last letters (not learning it right away, but memorizing it after some time just by looking at it every boot).

Other methods you describe require additional (and expensive) equipment and good preparation. I think someone should do some really nasty stuff to attract such "attention".

As for the iso thing - it may be an overkill as you describe - but I think, that booting from usb only is a good idea. I could carry it with my keys so, it would be always with me - it wouldn't be tampered with with ease.

Why do people recommend TrueCrypt lately? Why would it be better then using LUKS and encrypting /home partition or whole disk?

Thanks for your reply.

jjacky · 2012-09-13 11:13:26

Why would you want a full system on your usb? As the post you linked to said, the /boot partition is enough: It's not been tampered with because you have it on you always, and everything on your PC is encrypted. That's it.

(I believe the wiki also has some info (and a link to an AUR package) about a script that allows people to check the content of their /boot partition on boot, to ensure nothing's been modified in any way.)

kajman · 2012-09-13 12:06:28

What I meant was to have seperate, read-only, not-updatable boot and system on usb - needed just to run the real system which is fully encrypted. Maybe this layout is too complicated and whole system just to boot another system is unnecessary.

Having boot as you describe would not allow me to do btrfs snapshots of my whole (including boot) filesystem which I'd really like to have. That's where everything began - I wanted to have btrfs filesystem on root partition (including /boot) so snapshoting will be possible, but also I wanted to have everything encrypted. I couldn't manage to configure grub this way though and this is another idea to accomplish roughly the same thing (but with some additional precautions).

cfr · 2012-09-16 21:08:53

Why is encrypting a laptop a bad idea? (I was thinking maybe I should do this so I would especially like to know if I ought not.) I thought it was usually particularly recommended for laptops?

@kajman,
Do you really plan to carry your only copy of the USB around with you? If not - if you make back ups in other places as you originally suggested - then you may know that your copy hasn't been tampered with, but the other copies will be vulnerable to being used by others (or tampered with by others), won't they?

DSpider · 2012-09-17 05:33:46

cfr wrote:

Why is encrypting a laptop a bad idea? (I was thinking maybe I should do this so I would especially like to know if I ought not.) I thought it was usually particularly recommended for laptops?

Here's why: http://www.youtube.com/watch?v=U4oB28ks … ge#t=1000s

hunterthomson · 2012-09-17 11:10:46

I have my full disk encrypted with LUKS/dm-crypt aes-xts-plain64 and use AES-NI module which my CPU supports (otherwise I'd use twofish). With AES-NI I get > 220MB/sec read, >200MB/sec write

I have my SSD with a single GPT partition. This partition is encrypted then I put LVM on top. Then I have a usb stick with a MBR and my /boot parition on that. I then simply installed grub2-bios onto the usb sitck (this also saved me the trouble of the whole GPT and GRUB2 problem). I set the "noauto" mount flag for the /boot partition in the fstab. This way I can just take it out after boot up.

I figure I may leave my laptop at home or it may get stolen, however the usb stick will always be in my pocket. I also have a SD card that is encrypted. What I do is I also have AIDE installed and I store the integrity database on the encrypted SD card which is only mounted when running AIDE. This way I may not be able to stop the files on the usb stick (or the rest of the file-system) from being modified, however I'll know if it dose.

The best solution is to create a GRUB2 rescue CD. That way your unencrypted /boot partition is on Read-Only media, which is even better then encrypted (there is no need to hide the kernel just protect it). You can read how I did it before here. However, my new X230 dose not have an optical drive.

https://bbs.archlinux.org/viewtopic.php?id=144100

Last edited by hunterthomson (2012-09-17 11:14:42)

hunterthomson · 2012-09-17 11:43:31

There is also some way of using the TPM chip in your computer to hash whatever files you like i.e. your kernel & initramfs. If it finds the hash dose not match it will not allow the computer to boot.

Sure, if the NSA really want's your data they can find a way to get it. All anyone can ever do is mitigate a security risk. If you use full disk encryption they would have to do go to extreme measures to get the key. They can no longer just on a whim take your drive and get all the contents. They have to plan it out, which is 'less' likely.

Also, in the USA you don't have to give up your key in criminal court, civil court yes. Also if you get on a plane, so leave your drive at home and just take a bootable USB stick then SSH back home to get your files on the road. I'd also put in a different hdd with Windows installed, so you don't stand out as the guy with no hdd. But like Jacob Appelbaum says, you best not even use that computer ever again because, ya they can just modify the BIOS or who knows what else.

All NSA talk aside. Full disk should be standard for everyone. People loose laptops all the time and laptops get stolen. Do you really trust a guy who steals laptops with all your data? As long as your CPU supports AES-NI there is no performance hit.

Last edited by hunterthomson (2012-09-17 11:44:22)

Arch Linux

#1 2012-09-13 08:37:41

Full disk encryption with boot on usb stick.

#2 2012-09-13 10:04:44

Re: Full disk encryption with boot on usb stick.

#3 2012-09-13 11:00:32

Re: Full disk encryption with boot on usb stick.

#4 2012-09-13 11:13:26

Re: Full disk encryption with boot on usb stick.

#5 2012-09-13 12:06:28

Re: Full disk encryption with boot on usb stick.

#6 2012-09-16 21:08:53

Re: Full disk encryption with boot on usb stick.

#7 2012-09-17 05:33:46

Re: Full disk encryption with boot on usb stick.

#8 2012-09-17 11:10:46

Re: Full disk encryption with boot on usb stick.

#9 2012-09-17 11:43:31

Re: Full disk encryption with boot on usb stick.

Board footer