You are not logged in.

#1 2018-11-25 23:43:09

liquidMercury
Member
Registered: 2014-03-30
Posts: 5

Encrypt a disk such that it can only be unlocked by a unique hardware

I am working on a computer setup where common users will be in hold of the hardware for extended periods of time and I want to prevent them from getting root access in as many ways as possible.

As of now, I have restricted the computer from booting unauthorized devices and disabled users to edit the boot parameters. However, someone may still physically move the disk to another computer and access it from there.

I have looked into different ways of disk encryption but everything I find seems to assume that users with access have a password that they can unlock the disk with. What I want, is anyone to have access to the disk but only if it is accessed from this specific hardware.

Is this possible by any means?

(Also, are there any other precautions I should take to prevent users from getting root access?)

Thank you for any suggestions.

Offline

#2 2018-11-26 00:37:38

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Encrypt a disk such that it can only be unlocked by a unique hardware

If the disk is encrypted, how moving it to another device would change a thing? It’s still encrypted.

However, what you are asking for is not possible without extreme costs. Vide evil maid attack.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#3 2018-11-26 01:00:36

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

Re: Encrypt a disk such that it can only be unlocked by a unique hardware

You can use dm-crypt/LUKS to encrypt the disk and have a USB stick as the decryption key (i.e. not a passphrase). If someone removes the disk it won't decrypt without the USB key.

However, to state the obvious: if someone has time and space to physically remove the hard drive, they would also have the ability to remove the USB key along with it.

Last edited by twelveeighty (2018-11-26 01:01:09)

Offline

#4 2018-11-26 01:39:17

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: Encrypt a disk such that it can only be unlocked by a unique hardware

liquidMercury wrote:

Also, are there any other precautions I should take to prevent users from getting root access?

No, as there are no such precautions (I don't know what the word "other" is here, there are NO such precautions): physical access is root access.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#5 2018-11-26 01:56:50

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,354

Re: Encrypt a disk such that it can only be unlocked by a unique hardware

twelveeighty wrote:

You can use dm-crypt/LUKS to encrypt the disk and have a USB stick as the decryption key (i.e. not a passphrase). If someone removes the disk it won't decrypt without the USB key.

However, to state the obvious: if someone has time and space to physically remove the hard drive, they would also have the ability to remove the USB key along with it.

You could probably physically solder a USB stick or similar inside the machine to serve the same purpose.

Hope you have a back of that decryption key just in case. Oh, and remember to store that backup securely, preferably on a piece of paper.

In a vault under an Inca pyramid.

It's the only way to be sure.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#6 2018-11-26 02:06:45

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: Encrypt a disk such that it can only be unlocked by a unique hardware

This really seems like an X-Y problem.

What difference does it make if they can access the disk from one machine but not another? The issue is access, not the hardware. FDE will actually secure access to the disk, that way you don't care what machine it is plugged in to (which is the only security that matters).

If you don't trust the users with root, make the root password incredibly complex, or use a hardware token for it.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#7 2018-11-26 10:52:15

liquidMercury
Member
Registered: 2014-03-30
Posts: 5

Re: Encrypt a disk such that it can only be unlocked by a unique hardware

ngoonee wrote:
twelveeighty wrote:

You can use dm-crypt/LUKS to encrypt the disk and have a USB stick as the decryption key (i.e. not a passphrase). If someone removes the disk it won't decrypt without the USB key.

However, to state the obvious: if someone has time and space to physically remove the hard drive, they would also have the ability to remove the USB key along with it.

You could probably physically solder a USB stick or similar inside the machine to serve the same purpose.


I actually think this is a good alternative. By soldering a USB drive inside the computer and using it as a key for dm-crypt/LUKS the disk cannot be mounted and accessed from another computer. I will actually consider it. Thank you both for the suggestions.

Offline

#8 2018-11-26 11:00:26

liquidMercury
Member
Registered: 2014-03-30
Posts: 5

Re: Encrypt a disk such that it can only be unlocked by a unique hardware

mpan wrote:

If the disk is encrypted, how moving it to another device would change a thing? It’s still encrypted.

However, what you are asking for is not possible without extreme costs. Vide evil maid attack.

Encryption it with a password is not an option, because then I have to provide the password to any non-superuser who wishes to boot the computer. The encryption would then be useless.

Offline

#9 2018-11-26 11:10:58

Ropid
Member
Registered: 2015-03-09
Posts: 1,069

Re: Encrypt a disk such that it can only be unlocked by a unique hardware

There's "TPM" that you can try to use to make an encrypted drive work with only one particular PC and nowhere else:

https://wiki.archlinux.org/index.php/Tr … orm_Module

Desktop PC motherboards usually do not have a TPM, but they often have a header so that you can plug one in. The device looks like this:

https://www.amazon.com/Gigabyte-Accesso … 01G97X6T4/

I don't know how you would actually go about making use of it for the key for disk encryption.

Last edited by Ropid (2018-11-26 11:12:20)

Offline

#10 2018-11-26 11:14:10

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: Encrypt a disk such that it can only be unlocked by a unique hardware


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

Board footer

Powered by FluxBB