Can you even fully encrypt a system?

exap · 2015-08-12 23:59:12

I want to install Arch on my PC and therefore I am doing a lot of research about Linux.

I'd appreciate to be safe against attackers that have local access to my computer for an arbitrary long time. Just imagine that I am on holiday for several weeks.

The first solution that comes to my mind is encrypting as much as possible. If I've understood the following correctly and I'm really not sure about this, you cannot encrypt the partition you're booting from. From a security point of view this is pretty bad because a local attacker could change that partition with ease. Why would you even encrypt your drives, if someone could modify your Grub or Linux in a way that it waits for me entering the password and storing it somewhere in cleartext? Sure, this common approache makes stuff harder but not impossible. I just want to do things right.

So, my questions are:
1. Am I right so far?
2. Is there a (uncommon but) relatively easy way that allows me to encrypt the boot partition?
3. A really elaborately solution could be to outsource an unencrypted boot loader to a USB stick. Do you think that this is the only way to get this level of security? Anyway, I really hope that I don't have to do that. (But I would do.)

Last edited by exap (2015-08-13 00:30:55)

karol · 2015-08-13 00:01:28

Welcome to the Arch Linux forum :-)
Have a look at https://wiki.archlinux.org/index.php/Disk_encryption

yuannan · 2015-08-13 00:10:23

.

Last edited by yuannan (2023-01-06 04:34:35)

Stebalien · 2015-08-13 04:25:33

Physical access means the system is compromised. If your data is encrypted, it should be safe but you can never trust the system again. For all you know, it could be physically bugged (physical key logger, etc.).

bleach · 2015-08-13 04:38:48

what stebalien said.

You can though put the boot on a stick so it is a removable bootloader and what not.

exap · 2015-08-13 16:06:31

karol wrote:

Have a look at https://wiki.archlinux.org/index.php/Disk_encryption

This answers my first question: Am was right so far. But on the page is also written this:

A very strong disk encryption setup (e.g. full system encryption with authenticity checking and no plaintext boot partition) is required to stand a chance against professional attackers who are able to tamper with your system before you use it.

There is no explanation what actually is that "very strong disk encryption setup" that has "no plaintext boot partition". I'd be pretty happy to have more information about that setup.

yuannan wrote:

i found this: https://wiki.archlinux.org/index.php/Dm … ire_system
Also try reading these two
GRUB: http://ubuntuforums.org/showthread.php?t=7353
Syslinux: http://www.syslinux.org/wiki/index.php/Menu#MENU_PASSWD

These techniques don't prevent someone from removing the disk and plug it into another computer. In this sense these passwords are useless.

Stebalien wrote:

Physical access means the system is compromised. If your data is encrypted, it should be safe but you can never trust the system again. For all you know, it could be physically bugged (physical key logger, etc.).

That's true. But first things first: I'd be really happy if my computer itself was safe.

bleach wrote:

You can though put the boot on a stick so it is a removable bootloader and what not.

Is there any tutorial/ guide that explains how you could actually do that?

Last edited by exap (2015-08-13 16:07:06)

frostschutz · 2015-08-13 16:13:11

exap wrote:

"very strong disk encryption setup"

LUKS

exap wrote:

"no plaintext boot partition"

You can use USB sticks for /boot and keep that USB stick about your person. Hard to modify if you're guarding it. In combination with encrypted keyfiles on USB you are also safe against standard keyloggers. They will log the password for the key they don't have, instead of the password for the disk they copied in your absence.

Otherwise there is no such thing; you can move this complexity into the boot loader but then people can just tamper with the boot loader instead of the boot partition.

If you are on a Secure Boot system you could try signing things but then you are trusting closed hardware platforms.

It's extremely difficult if not impossible to safeguard against hands-on modification to your stuff.

exap · 2015-08-13 17:32:20

frostschutz wrote:

exap wrote:
"no plaintext boot partition"
You can use USB sticks for /boot and keep that USB stick about your person. Hard to modify if you're guarding it. In combination with encrypted keyfiles on USB you are also safe against standard keyloggers. They will log the password for the key they don't have, instead of the password for the disk they copied in your absence.

Then the wording in the wiki is kind of unclear because technically thats also a plaintext boot partition. But how would you actually do that? How can I configure a bootloader like Grub to boot from my main drive? If it would be possible to put Linux not on the USB but on my main drive, I even could remove the USB after booting.

frostschutz wrote:

LUKS

Thank you. I'll give it a try. But given that I want to travel with my PC, LUKS isn't the perfect choice due to it's detectable format:

A government entity, which not only has the resources to easily pull off the above attacks, but also may simply force you to give up your keys/passphrases using various techniques of coercion. In most non-democratic countries around the world, as well as in the USA and UK, it may be legal for law enforcement agencies to do so if they have suspicions that you might be hiding something of interest.

Last edited by exap (2015-08-13 17:34:20)

progandy · 2015-08-13 17:36:54

exap wrote:

frostschutz wrote:
LUKS
Thank you. I'll give it a try. But given that I want to travel with my PC, LUKS isn't the perfect choice due to it's detectable format:
A government entity, which not only has the resources to easily pull off the above attacks, but also may simply force you to give up your keys/passphrases using various techniques of coercion. In most non-democratic countries around the world, as well as in the USA and UK, it may be legal for law enforcement agencies to do so if they have suspicions that you might be hiding something of interest.

Think about LUKS with a detached header.
https://wiki.archlinux.org/index.php/Dm … UKS_header

frostschutz · 2015-08-13 17:59:38

Any kind of encryption is detectable. No one else carries terabytes of "random data" around. But see also the LUKS FAQ on plausible deniability.

I even could remove the USB after booting.

With grub, linux kernel and linux initramfs on a stick, you can remove the stick as soon as kernel messages start appearing on screen, before it asks you for the password.

Only need to reconnect the stick for kernel updates.

exap · 2015-08-18 13:03:24

Is it possible to boot Grub from the USB through both UEFI and BIOS to let it open the encrypted file system whereas Linux is on that encrypted file system (so only Grub and the key are on that USB)?

How can I ensure that I won't loose my encryption key? Imagine that I lost my USB stick. If it is a good idea to have copies of your encryption key, where should I store them?

On this occasion, I'd really like to encrypt my laptop too. Is it a good idea to use the same encryption key if I use the same USB stick to store the keys?

mpan · 2015-08-18 14:24:40

Let's assume for a moment that you have managed to a perfectly secure solution for your disk. Now ask yourself: can you verify BIOS/UEFI? Are you carrying your keyboard around and you have some strange keyboard that creates secure communication channel between itself and the disk encryption software? Most probably the answer is: no. As it was earlier said: if someone has unrestricted, physical access to your machine, it is compromised. Period.

Think more about using a decent disk encryption setup for protecting your data and, if you need more security, about detecting and preventing physical access to your hardware. I mean: a silent alarm system on the door, one or two hidden cameras and a good lock is most probably a better solution than thinking on how to make unbreakable disk encryption.

exap · 2015-08-18 14:39:04

mpan wrote:

As it was earlier said: if someone has unrestricted, physical access to your machine, it is compromised. Period.
Think more about using a decent disk encryption setup for protecting your data[...]

That's totally true. But why should I then encrypt my drives anyway? According to your argumentation, what real benefits do I have from encryption (since it can be compromised through physical access)?

frostschutz · 2015-08-18 14:44:13

exap wrote:

How can I ensure that I won't loose my encryption key?

With LUKS you can have up to 8 passwords / keys.

So the USB stick solution is what you use for everyday unlocking.

And another password only you know is the backup for the case your USB stick stopped working or was stolen / lost.

Also unrelated to that you should always have one or more backups of your files, since the HDD or whatever you have encrypted, can fail or be stolen, too.

But why should I then encrypt my drives anyway?

Just because anyone can smash in the door window and hotwire your car doesn't mean you should leave it unlocked and with the key in the ingnition...

Last edited by frostschutz (2015-08-18 14:45:53)

mpan · 2015-08-18 15:19:18

exap wrote:

That's totally true. But why should I then encrypt my drives anyway? According to your argumentation, what real benefits do I have from encryption (since it can be compromised through physical access)?

Because you may lost control over your disk and then someone may read your data. Examples:

The most common: at some point you need to throw away your disk.
Your computer may be stolen.
Your computer or disk may be lost. This does not apply only to notebooks — this can happen for example when your're moving from one place to another.
Your PC may be seized by police or other institution.
Your computer may be confiscated by the army if they need it (at least in some countries).
…

Slithery · 2015-08-18 16:32:54

Recent versions of grub have the ability to work with an encrypted /boot partition...
https://wiki.archlinux.org/index.php/Dm … .28GRUB.29

frostschutz · 2015-08-18 17:00:53

slithery wrote:

Recent versions of grub have the ability to work with an encrypted /boot partition...

The number of problems this solves is very close to 0. GRUB is open source, it can be replaced with something malicious just as a kernel or initramfs can be replaced in the unencrypte /boot setup. You just moved the problem to a different bit of code.

Maybe if the GRUB itself was somehow protected by something else (UEFI? Secure Boot?) but you're trusting hardware at that point.

exap · 2015-09-03 12:14:57

I installed Arch and everything is running fine. My /boot is located on a USB. On that /boot there is Linux, initramfs and a provisional UEFI startup.nsh script. My / is the encrypted HDD.

But as someone said before, even though people with physical access can't change my HDD they could just change my BIOS/UEFI. Is there any way to protect my UEFI? If there was the possibilty to hash the storage of the chip that contains UEFI, I could check if my UEFI stayed the same.

progandy · 2015-09-03 19:25:29

exap wrote:

But as someone said before, even though people with physical access can't change my HDD they could just change my BIOS/UEFI. Is there any way to protect my UEFI? If there was the possibilty to hash the storage of the chip that contains UEFI, I could check if my UEFI stayed the same.

Put your computer case in a locked safe or at least put a security seal on it so you can detect tampering attempts. Otherwise, someone can reset your UEFI or if that is impossible, simply replace the whole motherboard.

Last edited by progandy (2015-09-03 19:27:53)

jamdox · 2015-09-22 06:46:47

I want to bump this thread first because it seems pretty anti-encryption, which looks like sour grapes, and sour grapes are unacceptable.

Second, I'm trying to get a whole-disk encryption setup with an lvm inside the encrypted partition. I have followed the guides and tried various things, and the system still hangs at "loading initial ramdisk".

Do I need to make a separate boot partition that is not part of the lvm? I had assumed adding the various flags to grub and mkinitcpio would enable my current setup.

esa · 2015-09-22 07:21:26

@jamdox: yes

jasonwryan · 2015-09-22 07:26:36

esa wrote:

@jamdox: yes

No. https://wiki.archlinux.org/index.php/GR … _partition

esa · 2015-09-22 07:57:39

Encrytption
+-LVM
|+-/boot
|+-/

I fail to understand how to boot, as in, where is the kernel that one is supposed to pass arguments to, beeing read from, whith the decryption undone, and /boot not loaded/mounted.
The 'LVM' part of the wiki doesnt clear that to my understanding.

Saying (afaik &/ as far i understand it)
While GRUB is 'installed' to 'mbr/gpt', it requires the user to pass arguments to the kernel.
The kernel resides in /boot, which is in a lvm, which is within an encryption.
So, how to pass arguments to something that is not available, to unlock what you need access to to unlock it.

Please enlighten me.
(EDIT: or is it all about that mkinitcpio with wich i havent played yet)

Last edited by esa (2015-09-22 07:59:51)

jamdox · 2015-09-22 08:25:05

jasonwryan wrote:

esa wrote:
@jamdox: yes
No. https://wiki.archlinux.org/index.php/GR … _partition

Reading over it again, it looks like the boot partition can't be in the lvm.

So I guess you can either encrypt your whole disk but not have it be an lvm, or have your whole disk be in an lvm but not encrypt it.

Seems odd.

esa · 2015-09-22 09:35:18

You still can encrypt / (swap) and /home in your lvm.
Or you can encrypt the lvm as a whole, but must have an 'external' /boot.

At least that is my experience.

Last edited by esa (2015-09-22 09:35:48)

Arch Linux

#1 2015-08-12 23:59:12

Can you even fully encrypt a system?

#2 2015-08-13 00:01:28

Re: Can you even fully encrypt a system?

#3 2015-08-13 00:10:23

Re: Can you even fully encrypt a system?

#4 2015-08-13 04:25:33

Re: Can you even fully encrypt a system?

#5 2015-08-13 04:38:48

Re: Can you even fully encrypt a system?

#6 2015-08-13 16:06:31

Re: Can you even fully encrypt a system?

#7 2015-08-13 16:13:11

Re: Can you even fully encrypt a system?

#8 2015-08-13 17:32:20

Re: Can you even fully encrypt a system?

#9 2015-08-13 17:36:54

Re: Can you even fully encrypt a system?

#10 2015-08-13 17:59:38

Re: Can you even fully encrypt a system?

#11 2015-08-18 13:03:24

Re: Can you even fully encrypt a system?

#12 2015-08-18 14:24:40

Re: Can you even fully encrypt a system?

#13 2015-08-18 14:39:04

Re: Can you even fully encrypt a system?

#14 2015-08-18 14:44:13

Re: Can you even fully encrypt a system?

#15 2015-08-18 15:19:18

Re: Can you even fully encrypt a system?

#16 2015-08-18 16:32:54

Re: Can you even fully encrypt a system?

#17 2015-08-18 17:00:53

Re: Can you even fully encrypt a system?

#18 2015-09-03 12:14:57

Re: Can you even fully encrypt a system?

#19 2015-09-03 19:25:29

Re: Can you even fully encrypt a system?

#20 2015-09-22 06:46:47

Re: Can you even fully encrypt a system?

#21 2015-09-22 07:21:26

Re: Can you even fully encrypt a system?

#22 2015-09-22 07:26:36

Re: Can you even fully encrypt a system?

#23 2015-09-22 07:57:39

Re: Can you even fully encrypt a system?

#24 2015-09-22 08:25:05

Re: Can you even fully encrypt a system?

#25 2015-09-22 09:35:18

Re: Can you even fully encrypt a system?

Board footer