From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14853 invoked by uid 1002); 18 Aug 2003 03:55:53 -0000 Mailing-List: contact gentoo-hardened-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@gentoo.org Received: (qmail 7755 invoked from network); 18 Aug 2003 03:55:53 -0000 Message-ID: <3F404E60.2040509@nrao.edu> Date: Sun, 17 Aug 2003 21:56:16 -0600 From: Boyd Waters Organization: National Radio Astronomy Observatory User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b) Gecko/20030719 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "mike@flyn.org" CC: gentoo-hardened@gentoo.org References: <20030815141701.7F6FB314CA@neuromancer.voxel.net> In-Reply-To: <20030815141701.7F6FB314CA@neuromancer.voxel.net> X-Enigmail-Version: 0.76.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-RAVMilter-Version: 8.4.3(snapshot 20030212) (virgo) Subject: Re: [gentoo-hardened] Hardened laptops X-Archives-Salt: 3cf1ae5d-faf8-4425-9bfb-b4fe1121a801 X-Archives-Hash: af4da6be282e6d5f2e24de0442a0b458 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mike@flyn.org wrote: | 1. Encrypted root filesystem. The 2.6 Linux kernel and util-linux 2.12 | will provide this using an encrypted loopback interface. A speedier | compromise is to use encrypted home directories only. I maintain a PAM | module, pam_mount, that mounts encrypted home directories transparently. [ If | you don't mind a shameless plug, there is an article about pam_mount in the | August Linux Journal. ] | | 2. Encrypted swap partition (or no swap at all). This is necessary because | otherwise programs could swap secrets to a plaintext disk. The 2.6 Linux | kernel's encrypted loopback interface can do this. | | 3. An inproved authentication system. Encryption algorithms are useless | if a weak key is used. Therefore it may be desireable to authenticate | when booting and mounting an encrypted root filesystem (or mounting an | encrypted home directory) using a physical token or other strong means. Mike: Thanks for this post... yeah, we've thought about it. A lot :-) Until five months ago, I had been running a Gentoo laptop with an encrypted filesystem for about a year. I had considered things quite carefully, and decided that the only way to sort-of-trust the computer was to encrypt the whole shebang: encrypted root and encrypted swap. This worked just fine, very stable with a 2.4.19 kernel. Then I wanted to move the setup to 2.5/2.6 kernels; the init command for doing so has stumped me. pivot_root simply does not work; there are other ways of doing something with mount -o bind... I have been able to set up, at init time, a GPG-based authentication which mounts the GPG keyring from a USB storage device, a memory stick. (You could also use a boot-CD.) The encryption key for the hard disk is actually a random string, which is signed and kept on the external device; you decrypt this key with your GPG password (which might be a "bas password", given user proclivities...). This extra step provides a means for key escrow, or for multiply-signed keys, so that more than one person can decrypt the key (and thus the hard disk data). This is a good thing, I think, if managed carefully; I don't have more than one signature on my keys so far... Encrypted swap is very easy, relative to the difficulties I've encountered at init time, trying to bring up an encrypted root disk on 2.6. Very much enjoyed the pam_mount article. But I think that for laptops, you need to assume the whole disk will be read by someone, at their leisure, and I really think you need whole-disk encryption to be effective. As soon as I get some manner of linux 2.6 with encrypted root, I will have something to write up. There is a bug in -test3 that b0rks encrypted loopback; I expect there will be more distractions before this is done... - - boyd Boyd Waters watersb on gentoo forums http://www.aoc.nrao.edu/~bwaters -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/QE5g0is8k1r0QeURAiIhAJ43h11QfVptn+0PmntyJW+l3BmkkACeORew fFsjLEAA9JYlKfQzKLqDl8M= =YJfU -----END PGP SIGNATURE----- -- gentoo-hardened@gentoo.org mailing list