You are not logged in.
I am working on a computer setup where common users will be in hold of the hardware for extended periods of time and I want to prevent them from getting root access in as many ways as possible.
As of now, I have restricted the computer from booting unauthorized devices and disabled users to edit the boot parameters. However, someone may still physically move the disk to another computer and access it from there.
I have looked into different ways of disk encryption but everything I find seems to assume that users with access have a password that they can unlock the disk with. What I want, is anyone to have access to the disk but only if it is accessed from this specific hardware.
Is this possible by any means?
(Also, are there any other precautions I should take to prevent users from getting root access?)
Thank you for any suggestions.
Offline
If the disk is encrypted, how moving it to another device would change a thing? It’s still encrypted.
However, what you are asking for is not possible without extreme costs. Vide evil maid attack.
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
You can use dm-crypt/LUKS to encrypt the disk and have a USB stick as the decryption key (i.e. not a passphrase). If someone removes the disk it won't decrypt without the USB key.
However, to state the obvious: if someone has time and space to physically remove the hard drive, they would also have the ability to remove the USB key along with it.
Last edited by twelveeighty (2018-11-26 01:01:09)
Offline
Also, are there any other precautions I should take to prevent users from getting root access?
No, as there are no such precautions (I don't know what the word "other" is here, there are NO such precautions): physical access is root access.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
You can use dm-crypt/LUKS to encrypt the disk and have a USB stick as the decryption key (i.e. not a passphrase). If someone removes the disk it won't decrypt without the USB key.
However, to state the obvious: if someone has time and space to physically remove the hard drive, they would also have the ability to remove the USB key along with it.
You could probably physically solder a USB stick or similar inside the machine to serve the same purpose.
Hope you have a back of that decryption key just in case. Oh, and remember to store that backup securely, preferably on a piece of paper.
In a vault under an Inca pyramid.
It's the only way to be sure.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
This really seems like an X-Y problem.
What difference does it make if they can access the disk from one machine but not another? The issue is access, not the hardware. FDE will actually secure access to the disk, that way you don't care what machine it is plugged in to (which is the only security that matters).
If you don't trust the users with root, make the root password incredibly complex, or use a hardware token for it.
Offline
twelveeighty wrote:You can use dm-crypt/LUKS to encrypt the disk and have a USB stick as the decryption key (i.e. not a passphrase). If someone removes the disk it won't decrypt without the USB key.
However, to state the obvious: if someone has time and space to physically remove the hard drive, they would also have the ability to remove the USB key along with it.
You could probably physically solder a USB stick or similar inside the machine to serve the same purpose.
I actually think this is a good alternative. By soldering a USB drive inside the computer and using it as a key for dm-crypt/LUKS the disk cannot be mounted and accessed from another computer. I will actually consider it. Thank you both for the suggestions.
Offline
If the disk is encrypted, how moving it to another device would change a thing? It’s still encrypted.
However, what you are asking for is not possible without extreme costs. Vide evil maid attack.
Encryption it with a password is not an option, because then I have to provide the password to any non-superuser who wishes to boot the computer. The encryption would then be useless.
Offline
There's "TPM" that you can try to use to make an encrypted drive work with only one particular PC and nowhere else:
https://wiki.archlinux.org/index.php/Tr … orm_Module
Desktop PC motherboards usually do not have a TPM, but they often have a header so that you can plug one in. The device looks like this:
https://www.amazon.com/Gigabyte-Accesso … 01G97X6T4/
I don't know how you would actually go about making use of it for the key for disk encryption.
Last edited by Ropid (2018-11-26 11:12:20)
Offline
Offline