Re: [gentoo-hardened] Hardened laptops

Re: [gentoo-hardened] Hardened laptops

[mike]

I just got an encrypted root filesystem working on my iBook (based on Linux 
2.6.0-testX and util-linux 2.12).  I hope to clean up my initrd sources and 
publish them in mid-September.  If anyone is interested in this, please let me 
know.

--
Mike


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[David Nielsen]

I would love to see how that's done - since I have a laptop which I put
all my school work (including stuff I don't want people stealing from me
- projects and stuff). 

1) what's the speed penalties involved ?
	I only have a 500Mhz Celeron chip in my laptop so I'm kinda worried it
will send GNOME down the drain to encrypt the entire FS.

2) Would this be applicable to encrypting specific partitions - since
I've been looking at encrypting my /home on my desktop as well - most
because I can though.

- David

On Sat, 2003-08-23 at 11:53, mike@flyn.org wrote:
> I just got an encrypted root filesystem working on my iBook (based on Linux 
> 2.6.0-testX and util-linux 2.12).  I hope to clean up my initrd sources and 
> publish them in mid-September.  If anyone is interested in this, please let me 
> know.
> 
> --
> Mike
> 
> 
> --
> gentoo-hardened@gentoo.org mailing list
> 


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[Nigel Stepp]

On Sat, 23 Aug 2003, David Nielsen wrote:

> 1) what's the speed penalties involved ?
> 	I only have a 500Mhz Celeron chip in my laptop so I'm kinda worried it
> will send GNOME down the drain to encrypt the entire FS.

I have an 800Mhz PentiumIII-mobile processor in my Vaio.  I've been
running an encrypted root FS (with key on a 16MB USB drive) for serveral
months now and have noticed no performance hits.  From my experience, if
you are doing a large grep or find, the CPU hits 2-3% higher than it
normally would.

> 2) Would this be applicable to encrypting specific partitions - since
> I've been looking at encrypting my /home on my desktop as well - most
> because I can though.

Sure, any partition can be mounted via loopback and encrypted.  It's
super-easy to do with non-root filesystems too, since you don't have to
worry about initrd issues.  You just unmount it, setup the encrypted
loop, encrypt with dd, and mount the encrypted loop where the
non-encrypted FS used to be.

> - David
>
> On Sat, 2003-08-23 at 11:53, mike@flyn.org wrote:
> > I just got an encrypted root filesystem working on my iBook (based on Linux
> > 2.6.0-testX and util-linux 2.12).  I hope to clean up my initrd sources and
> > publish them in mid-September.  If anyone is interested in this, please let me
> > know.
> >
> > --
> > Mike
> >
> >
> > --
> > gentoo-hardened@gentoo.org mailing list
> >
>
>
> --
> gentoo-hardened@gentoo.org mailing list
>
>

-- 
:wq


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[W. Michael Petullo]

>> I just got an encrypted root filesystem working on my iBook (based on Linux
>> 2.6.0-testX and util-linux 2.12).  I hope to clean up my initrd sources and
>> publish them in mid-September.  If anyone is interested in this, please let 
>> me know.
 
> I'm interested. If you don't post it to the list, could you send it to me
> please?

My crypto-root/swap stuff is now online.  See
http://www.flyn.org/projects/cryptoswap/index.html.

-- 
Mike

:wq

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 950 bytes --]

Mike,

When you feel your system is ready for prime-time please submit a
cryptoswap-x.x.x.ebuild at bugs.gentoo.org and assign it to hardened @
gentoo.org. One of us should pick it up (Method you wanted this right?)
or if your willing to support it long term then I'd like to invite you
to look into becoming a hardened gentoo maintainer/developer.

On Fri, 2003-08-29 at 18:35, W. Michael Petullo wrote:
> >> I just got an encrypted root filesystem working on my iBook (based on Linux
> >> 2.6.0-testX and util-linux 2.12).  I hope to clean up my initrd sources and
> >> publish them in mid-September.  If anyone is interested in this, please let 
> >> me know.
>  
> > I'm interested. If you don't post it to the list, could you send it to me
> > please?
> 
> My crypto-root/swap stuff is now online.  See
> http://www.flyn.org/projects/cryptoswap/index.html.
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 307 bytes --]

Re: [gentoo-hardened] Hardened laptops

[A. Permyakov]

Sonds like an excellent idea, please count me in.  Anything I can do to help?  Got an older laptop sitting on a shelf here quite unused, would be willing to beta-test if time required is reasonable.

Thanks -- AP

----- Original Message -----
From: "mike@flyn.org" <mike@flyn.org>
Date: Sat, 23 Aug 2003 05:53:31 -0400
To: <gentoo-hardened@gentoo.org>
Subject: Re: [gentoo-hardened] Hardened laptops 

I just got an encrypted root filesystem working on my iBook (based on Linux 
2.6.0-testX and util-linux 2.12).  I hope to clean up my initrd sources and 
publish them in mid-September.  If anyone is interested in this, please let me 
know.

--
Mike


--
gentoo-hardened@gentoo.org mailing list


-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze

--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[mike]

> 1) what's the speed penalties involved ?
> 	I only have a 500Mhz Celeron chip in my laptop so I'm kinda worried it
> will send GNOME down the drain to encrypt the entire FS.

Well, I did not do any formal benchmarks but my laptop is certainly just as 
usable as when it had a plaintext filesystem.  I have not yet noticed any 
performance issues.  Of course, I'm not capturing video or any other 
HD-intensive activities.  My laptop is an iBook with a 600MHz G3.
 
> 2) Would this be applicable to encrypting specific partitions - since
> I've been looking at encrypting my /home on my desktop as well - most
> because I can though.

My pam_mount (http://www.flyn.org) PAM module allows one to easily use their 
system password to unlock an encrypted home directory.  I recommend it if you 
want to avoid encrypting your whole hard drive.  There is a pam_losetup module 
out there as well that does something similar -- but I have not tried it.

--
Mike


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[mike]

> Then I wanted to move the setup to 2.5/2.6 kernels; the init command for
> doing so has stumped me. pivot_root simply does not work; there are
> other ways of doing something with mount -o bind...

Pivot_root does not work?  Is this a 2.[56]-sepcific problem?  I have been using 
2.4's pivot_root interface with mkCDrec for quite some time.  However, I have 
not tried the same with 2.[56].

I may be interested in starting work on an encrypted root system using 2.6 and 
util-linux 2.12.

--
Mike


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[Joshua Brindle]

make it so... :)

i downloaded the nah6 scripts and they aren't anything incredibly complicated.. the
vmware idea is a little odd to me, if there were some other non-commercial
alternatives there might be a bigger demand from gentoo users..


Joshua Brindle

>>> "mike@flyn.org" <mike@flyn.org> 08/15/03 09:16AM >>>
I am interested in working on a secure laptop meta-project.  Laptop
security is interesting because some amount of physical security must
be addressed.  Laptop theft is big buisiness, after all.

A well designed laptop operating system would be centered around encrypted
filesystems and would have many applications:

1.  People who want to protect their personal data from theft.

2.  Buisinesses that want to protect secrets stored on their fleet
of laptops.

3.  Military applications -- laptops are all over today's battlefield
and a lucky ambush could easily reap classified information.

4.  Etc...

A company named NAH6 (http://www.nah6.com) has a product like this.
They use Linux in order to boot Windows from an encrypted volume.
I would like to focus on a Linux environment as an end.  The idea is that a 
lost or stolen laptop will not give up any sensitive information. 

Here are the components I envision including their current status:

1.  Encrypted root filesystem.  The 2.6 Linux kernel and util-linux 2.12
will provide this using an encrypted loopback interface.  A speedier
compromise is to use encrypted home directories only.  I maintain a PAM
module, pam_mount, that mounts encrypted home directories transparently.  [ If 
you don't mind a shameless plug, there is an article about pam_mount in the 
August Linux Journal. ]

2.  Encrypted swap partition (or no swap at all).  This is necessary because 
otherwise programs could swap secrets to a plaintext disk.  The 2.6 Linux 
kernel's encrypted loopback interface can do this.

3.  An inproved authentication system.  Encryption algorithms are useless
if a weak key is used.  Therefore it may be desireable to authenticate
when booting and mounting an encrypted root filesystem (or mounting an
encrypted home directory) using a physical token or other strong means.

4.  An intrusion detection system.

5.  Obviously, otherwise hardened software.

Comments?  Has anyone else talked about this around here?

--
Mike


--
gentoo-hardened@gentoo.org mailing list


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[mike]

>> I am interested in working on a secure laptop meta-project.  Laptop
>> security is interesting because some amount of physical security must
>> be addressed.  Laptop theft is big buisiness, after all.
>>
>> A well designed laptop operating system would be centered around encrypted
>> filesystems and would have many applications:
>>
>> 1.  People who want to protect their personal data from theft.
>>
>> 2.  Buisinesses that want to protect secrets stored on their fleet
>> of laptops.
>>
>> 3.  Military applications -- laptops are all over today's battlefield
>> and a lucky ambush could easily reap classified information.
>>
>> 4.  Etc...
>>
>> A company named NAH6 (http://www.nah6.com) has a product like this.
>> They use Linux in order to boot Windows from an encrypted volume.
>> I would like to focus on a Linux environment as an end.  The idea is that a 
>> lost or stolen laptop will not give up any sensitive information. 
>>
>> Here are the components I envision including their current status:
>>
>> 1.  Encrypted root filesystem.  The 2.6 Linux kernel and util-linux 2.12
>> will provide this using an encrypted loopback interface.  A speedier
>> compromise is to use encrypted home directories only.  I maintain a PAM
>> module, pam_mount, that mounts encrypted home directories transparently.  [ I 

>> you don't mind a shameless plug, there is an article about pam_mount in the 
>> August Linux Journal. ]
>>
>> 2.  Encrypted swap partition (or no swap at all).  This is necessary because 

>> otherwise programs could swap secrets to a plaintext disk.  The 2.6 Linux 
>> kernel's encrypted loopback interface can do this.
>>
>> 3.  An inproved authentication system.  Encryption algorithms are useless
>> if a weak key is used.  Therefore it may be desireable to authenticate
>> when booting and mounting an encrypted root filesystem (or mounting an
>> encrypted home directory) using a physical token or other strong means.
>>
>> 4.  An intrusion detection system.
>>
>> 5.  Obviously, otherwise hardened software.
>>
>> Comments?  Has anyone else talked about this around here?

> I haven't seen anything directly like this on the gentoo-hardened list 
> yet. I have seen the loopback encrypted filesystems and distro 
> discussions (nothing that isn't in the archives).

> I haven't seen anything directly like this on the gentoo-hardened list 
> yet. I have seen the loopback encrypted filesystems and distro 
> discussions (nothing that isn't in the archives). 

Norman, you brought up some great points.  I am familiar with TEMPEST, but am 
not far enough into this to start trying to mitigate its risk yet.  

I now have a few questions about the encrypted home directory scenario (most of 
root filesystem is plaintext).  Basically, is it worth it vs. an encrypted root 
filesystem?  Besides encrypting swap, one sticky point is encrypting /tmp.  Here 
are a few potential solutions:

1.  Make /tmp an encrypted filesystem, generated at boot time with a random key 
(much like encrypted swap space).

2.  If you have enough memory and/or encrypted swap, use Linux's tmpfs.

3.  Implement per-user temporary directories in each user's encrypted $HOME.  
Obviously all applications must know to use $HOME/tmp instead of /tmp.  This may 
be difficult to ensure.

Plain text /tmp is of course bad because, for example, vi may leak secrets by 
creating recovery files there.  So what is the best solution?  Or are there too 
many potential loopholes when using encrypted home directories vs. encrypted 
root filesystem?

--
Mike


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[Norman B. Robinson]

Worth is a subjective term; what are your goals? :p I'm sure there could 
be performance differences, but I go back to the 'multiple levels' concept.

Can you clarify the differences between encrypted home directory vs. 
encrypted root filesystems in your mind? Do you really mean encrypting 
ONLY home directories vs. encrypting ALL partitions? Just wanted to be 
certain.

[1] A /tmp encrypted filesystem isn't any different than any other 
encrypted file - is it? You can have a encrypted partition that multiple 
users can mount with their token key. Such as done with  'example 5' of 
loop-aes (http://loop-aes.sourceforge.net/loop-AES.README)
[2] I'd also like to mention enough memory and NOT USING SWAP at all.
[3] If you have a scenario where you are a user that doesn't trust the 
system and want a chance at keeping YOUR data out of prying eyes the the 
per-user temporary directories could be of use.

Finally my other thoughts are that since *my* goal is to be *more* 
secure and not set the goal I will be absolutely secure; something as 
simple as ensuring all your temp files (or unencrypted volumes) are 
deleted and wiped clean during logout (if you own the machine) could be 
worth it. Yes, it may be unsecure during operation and it could be 
interrupted before the shutdown wipe. But not most of the time.

N.

mike@flyn.org wrote:

> I haven't seen anything directly like this on the gentoo-hardened list
>
>>yet. I have seen the loopback encrypted filesystems and distro 
>>discussions (nothing that isn't in the archives). 
>>    
>>
>
>Norman, you brought up some great points.  I am familiar with TEMPEST, but am 
>not far enough into this to start trying to mitigate its risk yet.  
>
>I now have a few questions about the encrypted home directory scenario (most of 
>root filesystem is plaintext).  Basically, is it worth it vs. an encrypted root 
>filesystem?  Besides encrypting swap, one sticky point is encrypting /tmp.  Here 
>are a few potential solutions:
>
>1.  Make /tmp an encrypted filesystem, generated at boot time with a random key 
>(much like encrypted swap space).
>
>2.  If you have enough memory and/or encrypted swap, use Linux's tmpfs.
>
>3.  Implement per-user temporary directories in each user's encrypted $HOME.  
>Obviously all applications must know to use $HOME/tmp instead of /tmp.  This may 
>be difficult to ensure.
>
>Plain text /tmp is of course bad because, for example, vi may leak secrets by 
>creating recovery files there.  So what is the best solution?  Or are there too 
>many potential loopholes when using encrypted home directories vs. encrypted 
>root filesystem?
>
>--
>Mike
>
>
>--
>gentoo-hardened@gentoo.org mailing list
>
>  
>


--
gentoo-hardened@gentoo.org mailing list

[gentoo-hardened] Hardened laptops

[mike]

I am interested in working on a secure laptop meta-project.  Laptop
security is interesting because some amount of physical security must
be addressed.  Laptop theft is big buisiness, after all.

A well designed laptop operating system would be centered around encrypted
filesystems and would have many applications:

1.  People who want to protect their personal data from theft.

2.  Buisinesses that want to protect secrets stored on their fleet
of laptops.

3.  Military applications -- laptops are all over today's battlefield
and a lucky ambush could easily reap classified information.

4.  Etc...

A company named NAH6 (http://www.nah6.com) has a product like this.
They use Linux in order to boot Windows from an encrypted volume.
I would like to focus on a Linux environment as an end.  The idea is that a 
lost or stolen laptop will not give up any sensitive information. 

Here are the components I envision including their current status:

1.  Encrypted root filesystem.  The 2.6 Linux kernel and util-linux 2.12
will provide this using an encrypted loopback interface.  A speedier
compromise is to use encrypted home directories only.  I maintain a PAM
module, pam_mount, that mounts encrypted home directories transparently.  [ If 
you don't mind a shameless plug, there is an article about pam_mount in the 
August Linux Journal. ]

2.  Encrypted swap partition (or no swap at all).  This is necessary because 
otherwise programs could swap secrets to a plaintext disk.  The 2.6 Linux 
kernel's encrypted loopback interface can do this.

3.  An inproved authentication system.  Encryption algorithms are useless
if a weak key is used.  Therefore it may be desireable to authenticate
when booting and mounting an encrypted root filesystem (or mounting an
encrypted home directory) using a physical token or other strong means.

4.  An intrusion detection system.

5.  Obviously, otherwise hardened software.

Comments?  Has anyone else talked about this around here?

--
Mike


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[Norman B. Robinson]

I haven't seen anything directly like this on the gentoo-hardened list 
yet. I have seen the loopback encrypted filesystems and distro 
discussions (nothing that isn't in the archives).

That said, you asked for comments; I have a few ideas.

NOT TRUSTING YOUR SYSTEM:
Realizing more and more that encryption is a needed part of my working 
environment (I can't trust my administrators) this is of interest. I'd 
like to also see User Mode Linux encyption addressed; how do you encrypt 
your files if you DON'T want to trust your administrator? I've never 
seen the functional aspects of user security, including various levels 
of security risk (i.e., if you use UML encryption you could be exploited 
by X, X, and X in Y environment) explained to end users.

RECOVERING YOUR SYSTEM:
I do not know how the 'phone home' option available on some laptops 
works. I've never seen it explained (I'm assuming if it isn't done in 
hardware a low level format of the harddrive erases any capability of a 
ip locator being sent out). Perhaps rather than approaching the project 
from an 'absolute' security standpoint you could address how you could 
be more secure (various 'levels') and how you could address real 
problems (like someone stealing your laptop, taking it home and plugging 
it into broadband/dialup; having the previously mentioned 'phone home' 
ip packet being sent out could be considered 'more secure' in that you 
increase the likelyhood of either recovery or being able to remote 
connect and detonate your data). Perhaps a honeypot boot environment for 
the unwary that didn't provide a password would be useful - rather than 
completely disabling the laptop (which would encourage formatting) it 
allows use and sends out a packet of information with it's IP address to 
a specified server.

USABILITY:
Zero-Interaction Authentication (ZIA) from Univ. of Michigan is an 
interesting real workable solution for a proximity security token; it is 
a limited broadcast area radio that has an encryption key. The system 
encrypts when the user walks out of range and decrypts when the user 
comes back in range. Barring sniffing and replay issues it addresses the 
problems of user involvement in token keys. This isn't too different 
than say a memory device with a security token except you don't have to 
plug it in and it decreases the downtime during decryption. This general 
idea is really about usability (the concept of keys (the memory device 
or radiokey) and the concept of not 'interfering' with the use of the 
computer because of encryption).

USABILITY and ENCODING:
Part of the solution may to actually create a simplified encryption 
process. Rather than having the user memorize a strong key have a 
short-term key with defined lockdown based on time. In the situation 
where I'm going away from my desk I might just want a simple password to 
lock the computer, when I reboot I want a stronger password (in case *I* 
am not the one doing the rebooting!) and when I know I'm travelling I 
want to lock it with a password and keyed cdrom token.

REDUNDANCY and NO BRAINER FALLBACK
Part of the usability above also should consider that humans are 
imperfect beings. We sometimes forget things and loose our keys. 
Addressing the issues of forgetting your password through split keys 
(one you give to your friend, one you give to your mom, one you leave at 
home and only two are needed to decrypt and reset your password) is 
(pardon the pun) key. :) Also you should provide the information about 
who can partner to decrypt your data to the end-user in case they forget 
who they gave split keys to.

Also consider that you might want to have different physical keys work 
on the same lock. I might have a USB memorystick with my key token(s) 
AND I might have a CDROM that has the same key. Please allow me to use 
one if the other isn't available.

GIMP vs GEEK
Consider that also you may want to remotely destroy your data - instead 
of a phone home msg from a stolen laptop you might want the laptop to 
also PULL from a location and if it finds a key phrase it detonates the 
data - completely wipes the harddrive. This pull prevents the various 
firewalls from blocking your initiation of destruction. Nothing saying 
you can't delete your data and leave a broadcasting honeypot either!
This situation also warrents mentioning of a dead-man's switch. If I 
don't provide a password token within 'X' minutes/hours/days the system 
initiates data destruction. I know it is all encrypted - but you can't 
decrypt what doesn't exist. I makes it so they have to have hardware and 
have imaged your data before they begin brute-forcing it. (ok, ok, they 
could just put you in a dark space and begin breaking your fingers...)

Finally, if you are unfamiliar with the term you should look up TEMPEST. 
Although originally a method of blocking electronic transmissions that 
could be picked up by 'the enemy' by incasing computers in metal, there 
are several software methods, such as 'tempest fonts' that you may wish 
to consider in conjuntion with your efforts.
http://216.239.37.104/search?q=cache:ucOb7yYGZasJ:www.cl.cam.ac.uk/~mgk25/ih98-tempest-slides.pdf+tempest+software+techniques&hl=en&ie=UTF-8

NO LAPTOP's AN ISLAND:
We also need to address how you get your data off of your system and 
onto a new system securely. This includes backup. Once your data is 
encrypted you can of course copy the filesystem but you need to copy the 
ENTIRE filesystem. And you should be able to log in, and copy the system 
from within the system (which would in this scenario be an unencrypted 
system) to another computer. Yes, yes, easy enough to say use SSH, SCP, 
etc. but address this rather than having a gaping hole in your security 
plan (that hole being an uninformed end-user that is *ignorant*). Having 
a solution doesn't mean that you prevent another solution from being 
used, just that you've already thought it out and made it a no-brainer.

That's all my comments :)

Warm encrypted regards,

Norman


mike@flyn.org wrote:

>I am interested in working on a secure laptop meta-project.  Laptop
>security is interesting because some amount of physical security must
>be addressed.  Laptop theft is big buisiness, after all.
>
>A well designed laptop operating system would be centered around encrypted
>filesystems and would have many applications:
>
>1.  People who want to protect their personal data from theft.
>
>2.  Buisinesses that want to protect secrets stored on their fleet
>of laptops.
>
>3.  Military applications -- laptops are all over today's battlefield
>and a lucky ambush could easily reap classified information.
>
>4.  Etc...
>
>A company named NAH6 (http://www.nah6.com) has a product like this.
>They use Linux in order to boot Windows from an encrypted volume.
>I would like to focus on a Linux environment as an end.  The idea is that a 
>lost or stolen laptop will not give up any sensitive information. 
>
>Here are the components I envision including their current status:
>
>1.  Encrypted root filesystem.  The 2.6 Linux kernel and util-linux 2.12
>will provide this using an encrypted loopback interface.  A speedier
>compromise is to use encrypted home directories only.  I maintain a PAM
>module, pam_mount, that mounts encrypted home directories transparently.  [ If 
>you don't mind a shameless plug, there is an article about pam_mount in the 
>August Linux Journal. ]
>
>2.  Encrypted swap partition (or no swap at all).  This is necessary because 
>otherwise programs could swap secrets to a plaintext disk.  The 2.6 Linux 
>kernel's encrypted loopback interface can do this.
>
>3.  An inproved authentication system.  Encryption algorithms are useless
>if a weak key is used.  Therefore it may be desireable to authenticate
>when booting and mounting an encrypted root filesystem (or mounting an
>encrypted home directory) using a physical token or other strong means.
>
>4.  An intrusion detection system.
>
>5.  Obviously, otherwise hardened software.
>
>Comments?  Has anyone else talked about this around here?
>
>--
>Mike
>
>
>--
>gentoo-hardened@gentoo.org mailing list
>
>  
>



--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Hardened laptops

[Boyd Waters]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mike@flyn.org wrote:
| 1.  Encrypted root filesystem.  The 2.6 Linux kernel and util-linux 2.12
| will provide this using an encrypted loopback interface.  A speedier
| compromise is to use encrypted home directories only.  I maintain a PAM
| module, pam_mount, that mounts encrypted home directories
transparently.  [ If
| you don't mind a shameless plug, there is an article about pam_mount
in the
| August Linux Journal. ]
|
| 2.  Encrypted swap partition (or no swap at all).  This is necessary
because
| otherwise programs could swap secrets to a plaintext disk.  The 2.6 Linux
| kernel's encrypted loopback interface can do this.
|
| 3.  An inproved authentication system.  Encryption algorithms are useless
| if a weak key is used.  Therefore it may be desireable to authenticate
| when booting and mounting an encrypted root filesystem (or mounting an
| encrypted home directory) using a physical token or other strong means.

Mike:

Thanks for this post... yeah, we've thought about it. A lot :-)

Until five months ago, I had been running a Gentoo laptop with an
encrypted filesystem for about a year.

I had considered things quite carefully, and decided that the only way
to sort-of-trust the computer was to encrypt the whole shebang:
encrypted root and encrypted swap. This worked just fine, very stable
with a 2.4.19 kernel.

Then I wanted to move the setup to 2.5/2.6 kernels; the init command for
doing so has stumped me. pivot_root simply does not work; there are
other ways of doing something with mount -o bind...

I have been able to set up, at init time, a GPG-based authentication
which mounts the GPG keyring from a USB storage device, a memory stick.
(You could also use a boot-CD.) The encryption key for the hard disk is
actually a random string, which is signed and kept on the external
device; you decrypt this key with your GPG password (which might be a
"bas password", given user proclivities...). This extra step provides a
means for key escrow, or for multiply-signed keys, so that more than one
person can decrypt the key (and thus the hard disk data). This is a good
thing, I think, if managed carefully; I don't have more than one
signature on my keys so far...

Encrypted swap is very easy, relative to the difficulties I've
encountered at init time, trying to bring up an encrypted root disk on 2.6.

Very much enjoyed the pam_mount article. But I think that for laptops,
you need to assume the whole disk will be read by someone, at their
leisure, and I really think you need whole-disk encryption to be effective.

As soon as I get some manner of linux 2.6 with encrypted root, I will
have something to write up. There is a bug in -test3 that b0rks
encrypted loopback; I expect there will be more distractions before this
is done...

- - boyd

Boyd Waters
watersb on gentoo forums
http://www.aoc.nrao.edu/~bwaters


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/QE5g0is8k1r0QeURAiIhAJ43h11QfVptn+0PmntyJW+l3BmkkACeORew
fFsjLEAA9JYlKfQzKLqDl8M=
=YJfU
-----END PGP SIGNATURE-----


--
gentoo-hardened@gentoo.org mailing list