Re: [SLUG] secure boot

From: Zoltan Patay (zoltanpatay@gmail.com)
Date: Sat Jul 23 2005 - 21:42:00 EDT


1. Password protect Grub.
2. Encrypt /home
2b. It is possible to encrypt root fs and swap as well if well
justified or particularly paranoid (needs more expertise, but that is
usually readily aviable at such level of paranoia).

You can load the encryption keys from flash. Putting your root fs on
crypto you will need to know a bit about creating customized initrd
img.

Do not do this on your pc, but use qemu to test all these (do a
minimal install in it). If you use qemu with the kernel module (kqemu)
is is very usable.

Googleing for all this turns up supprisingly large amount of hits,
with pitfalls and what not.

You can also try gentoo and ubuntu forums as there quite a bit of
resources on this.

It is possible to keep the key on a usb stick or flash, even more if
you know what pam is, and have worked with it before you can look at
this: http://www.pamusb.org/ then you system will log you in as
well...

Little writeup on ubuntuforums:

http://ubuntuforums.org/showthread.php?t=49474&highlight=encrypted+file+system
http://ubuntuforums.org/showpost.php?p=81502&postcount=1

Also, there is a cool product, called ibutton (falls in smartcard cathegory)

http://www.maxim-ic.com/products/ibutton/

and there used to be a project here:
http://www-users.rwth-aachen.de/dierk.bolten/pam_ibutton.html that
provided pam and storage for crypto password for encrypted file system
using it.

More on pam here: http://www.kernel.org/pub/linux/libs/pam/modules.html

iButton pam source here: http://www.zweknu.org/src/iButton-PAM/

With suse you could create a new partition (say home-crypto if you use
lvm this is particularly easy) and copy your /home and go from there.
To make sure the system will mount the usb volume containing the key
always to the same place you would have to specify it to mount by name
or id not by partition. You will also have to customize your init to
do something if the key holding device is not present (probably
shutdown). of course if the root fs is in crypto as well, then you
just have to customize the initrd... Try a suse install in qemu and
see if it can do everything in crypto, then add crypto key on usb
stick mod to it.

Important info for you: once all thing is loaded (os running) your
data is aviable once someone finds a way in and elevates permission to
the point of accessing data (make sure to create your own user group
besides user name, fine tuning required). Also to protect yourself
from such thing you would need to read up and employ the various
process separation techiques (http://www.grsecurity.net/
http://www.nsa.gov/selinux/ http://www.rsbac.org/
http://www.bastille-linux.org/ http://www.lids.org/)

You should know, in case you have really sensitive data, that in case
a system is suspected to have encrypted file system on it, upon
investigating it is unplugged from the nework at once, but NOT from
the mains (same is true for systems broken into) since every security
pro would want to look at it as it is (knowing after it is
shutdown/rebooted they might never have a chance...) So for this
reason you not only want to encrypt filesystems/swap but also want to
protect system from remote exploit.

Take a look at this as well: http://www.prosec.rub.de/tpm/index.html
it is a project that make use of some crypto hw some laptops have, IBM
started it with their Thinkpad line. However, if you decide to use it
on a laptop make sure to know international laws, as for example
flying to China with a laptop with crypto on it will land your ass
immediatelly in jail as automatically it is assumed you are a spy...
and I am not kidding, so if you use it on laptop check the rules.

I hope this was as well usefull as well helpful toward your future
efforts to outsmart all those people out there trying to get you(r
data).

Z

On 7/23/05, Matthew Burke <matthew@textbox.net> wrote:
> On Fri, 2005-07-22 at 20:20 -0400, chris lee wrote:
> > basically im trying to find a way to make my computer only work if a
> > certain SD card is installed.
> >
> > i also want all the data in that computer locked so that if the drive
> > is installed in another computer or a LiveCD is used the data will be
> > completely unviewable.
> >
> > is this possible?
>
> I have my home partition encrypted, asking for a password on boot (SUSE
> 9.2). While without the password one could still access the system, my
> files in home are somewhat safe (depending on the lengths one would go
> to in order to access the files)
>
> Matt
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
>

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:19:28 EDT