You are not logged in.

#1 2020-01-04 17:03:21

fatal_error
Member
Registered: 2020-01-04
Posts: 9

[SOLVED] New FDE install with USB stick

Hello all,

my starting situation is as follows: Windows 10 installed on the single internal hard drive, so an EFI system partition is already in place. There is plenty of space left on the drive for dual-booting with Arch. As I do not trust the Windows 10 installation I would like to install Arch with Full Disk Encryption (LVM on a single LUKS partition) and leave as little information as possible in plaintext. I have discovered some guides that encrypt the root filesystem, however none of them seem to care much about the unencrypted /boot partition which includes the most sensitive "applications" of all - the kernel. This seems not right to me, so my idea is to put /boot on an external USB stick, including a key file that should unlock the encrypted LUKS partition. Also, if possible I would like to forego the Grub installation and let just EFI boot the Kernel directly. I like the simplicity of this approach: no password required to unlock the LUKS partition, and no unencrypted /boot present in the System when Windows is booted (provided the USB stick is removed of course). Also no Grub required. So I guess my questions are as follows:

* EFI System Partition: do I need to create a new one on the USB stick? Or can I configure the existing EFI System partition so that it attempts to boot from the USB stick first?
* Is it enough to just mount the USB stick and use it as the /boot partition in the installation process? Or are there any other steps involved?
* What are the required steps to create a keyfile (instead of a password) for the LUKS partition?
* As an optional additional security challenge: would it make sense to password-protect the keyfile on the USB stick? E.g. something involving gpg (I guess). If so, how would I go about that?
* And finally: do you have any other suggestions? And obvious security red flags I'm missing here? Just for information: plausible deniability is no concern here, it's simply "make data as unavailable as possible from Windows".

Thanks in advance!

Last edited by fatal_error (2020-01-10 12:41:20)

Offline

#2 2020-01-04 19:46:44

frostschutz
Member
Registered: 2013-11-15
Posts: 978

Re: [SOLVED] New FDE install with USB stick

I use custom hooks for LUKS-encrypted keyfiles on USB /boot stick. gpg is popular too, I guess, but I find it a pain to put in initramfs and why add another encryption tool when you already have one...?

Old post about it: https://bbs.archlinux.org/viewtopic.php … 1#p1502651

Keyfiles can be simple (same as passphrase really):

pwgen 32 1 > keyfile # generate random ascii, e.g. Thaimeeng3ua4Toasha4een7luyai5ee
truncate -s 32 keyfile # remove newline at the end

That's a keyfile you can also type manually in an emergency. Safety provided by LUKS anti-bruteforce measures.

This avoids some confusion about cryptsetup passphrase processing which is different when manually typed, read from stdin, or read from keyfile option or argument (see man cryptsetup, notes on passphrase processing)

Or you make full blown random keyfiles:

head -c 32 /dev/urandom > keyfile # random data, 05 61 7e 60 19 25 1b da ...

A random binary data keyfile must be used correctly (use --key-file or keyfile argument). Never read it from stdin, impossible to type.

One possible advantage of truly random, high entropy passphrase is that you could disable LUKS anti-bruteforce for them (mostly superfluous once you have >128 bits of entropy) and maybe boot 2 seconds faster.

it's simply "make data as unavailable as possible from Windows".

with this kind of boot stick, you can unplug it as soon as kernel messages appear (by the time kernel + initrd is loaded), long before entering passphrase (you'd have to plug it for kernel updates, obviously)

and that's great, only problem is in the long run, lazyness wins and you just leave it. and the data itself is still on disk, and by default that also includes the luks header, so a windows malware could in theory look for LUKS headers on all your partitions, encrypt them and ransom money...

have backups... and apply common sense when using windows

Offline

#3 2020-01-05 20:38:16

fatal_error
Member
Registered: 2020-01-04
Posts: 9

Re: [SOLVED] New FDE install with USB stick

Thanks for that prompt reply frostschutz, it proved really helpful! I did not really get what you mean by LUKS anti-brute-force measures? Which arguments (I guess to luksFormat) would that be? The forum link you provided lead me to the following Wiki articles I've been following roughly:

* https://wiki.archlinux.org/index.php/Dm … VM_on_LUKS
* https://wiki.archlinux.org/index.php/Dm … der_on_USB

While the former is all clear to me (I'll take the LVM on LUKS route as described for the main hard drive), the latter lead to some open questions for me:

What's the purpose of having a separate EFI and /boot partition on the USB stick and then encrypting boot? I mean if the stick gets stolen/tampered with its all over. A sophisticated attacker could just tamper with either grub or the EFI stub kernel in the EFI partition (which cannot be encrypted) right? Also the whole "LUKS-formatting the key file" leaves me a bit confused. So what's the whole purpose of encrypting /boot (which resides on the very same USB stick) in this scenario? I guess an argument could be made for self-signed Kernels with UEFI Secure Boot enabled, but that's not the route I wanna go. Instead, my current setup is going to look like this:

Main Drive: 3 LVM Volumes (Swap, Root, Home) on a single LUKS-encrypted partition
USB Stick: a single (rather big) EFI System Partition that will hold the Kernel/Initial RAM Disk alongside the key file to the LUKS partition. Additionally I decided to also go with a detached LUKS header, which will also reside in the EFI System Partition on the stick.

Do you see any No-Gos/Problems with that setup?

Thanks again for the help!

Last edited by fatal_error (2020-01-05 20:40:07)

Offline

#4 2020-01-10 12:41:01

fatal_error
Member
Registered: 2020-01-04
Posts: 9

Re: [SOLVED] New FDE install with USB stick

I mark this as solved - I went with the variant as described above:

* a single LUKS-encrypted partition. On top of that three LVM volumes for root, home and swap.
* Both the EFI System Partition, the detached LUKS header and the key file for the LUKS partition reside on an USB stick.
* the EFI System Partition is mounted under boot

The ESP (/boot) itself is not encrypted, neither is the key file. Both things could be achieved for those with extra security needs, however I'm fine with the situation as it is.

Last edited by fatal_error (2020-01-10 12:42:41)

Offline

#5 2020-01-10 13:36:53

mxfm
Member
Registered: 2015-10-23
Posts: 156

Re: [SOLVED] New FDE install with USB stick

fatal_error wrote:

I mark this as solved - I went with the variant as described above:

* a single LUKS-encrypted partition. On top of that three LVM volumes for root, home and swap.
* Both the EFI System Partition, the detached LUKS header and the key file for the LUKS partition reside on an USB stick.
* the EFI System Partition is mounted under boot

The ESP (/boot) itself is not encrypted, neither is the key file. Both things could be achieved for those with extra security needs, however I'm fine with the situation as it is.

The obvious flaw with this setup is that keyfile is not encrypted. The boot process can be hardened if you used GRUB (because it allows to have detached headers and encrypted key), but I see it contradicts with this:

Also, if possible I would like to forego the Grub installation and let just EFI boot the Kernel directly.

Offline

Board footer

Powered by FluxBB