Announcement
Collapse
No announcement yet.
Lennart: Linux Comes Up Short Around Disk Encryption, Authenticated Boot Security
Collapse
X
-
Authenticating the initrd to the kernel to the bootloader to the firmware to the hardware is utterly pointless, if you cannot authenticate the hardware and the physical environment to the user. Otherwise your cryptographic rube-goldberg machine is easily undone by a physically identical laptop or something as universal as a camera in view of your keyboard. The best you can hope to achieve with TPM is making the physically identical laptop attack a one-time attack that you might realize has occurred after your password fails to decrypt your data. (But the adversary is allowed to make that look like mundane disk failure.)
-
Originally posted by fuzz View Post
It needs a really recent version of systemd-cryptenroll and cryptsetup. For example, Fedora 34 has the former but not a new enough version of the latter. I imagine Fedora 35 beta might support it.
Also on Gentoo I could only get it working with dracut for my initramfs. The Arch wiki docs are similarly useful.
i'm running Fedora 34 on the machine I wanted to test it on. I guess I'll have to wait for the next week when I (hopefully) will upgrade to F35 beta
thanks again for the hints!
- Likes 1
Leave a comment:
-
Originally posted by cynic View Post
cool! I wasn't aware this feature is already supported!
I'm gooing to google some doc right now!
thanks!
Also on Gentoo I could only get it working with dracut for my initramfs. The Arch wiki docs are similarly useful.
- Likes 1
Leave a comment:
-
Originally posted by fuzz View Post
I recently enabled my FIDO2 key to unlock at boot on gentoo. It's a night and day difference. Integration into an installer would be trivial, so I can see it coming.
I'm gooing to google some doc right now, thanks!Last edited by cynic; 25 September 2021, 02:20 AM.
Leave a comment:
-
Originally posted by mangeek View PostAs a former enterprise Endpoint Admin and now an ITSec person, I'm not sure there is a way for me to run Linux and meet my own organization's industry-standard security policies. Is there a way for me to easily enroll a Linux desktop or server into a system that escrows a break-glass key for the full-disk encryption?
It also does support a "recovery key", or really any extra key you can enroll with LUKS2, that you could keep as a backup.
- Likes 2
Leave a comment:
-
Originally posted by cynic View Postmy data are definitely not worth such complex attacks described by Lennart so I'm reasonably sure that won't happen to me.
anyway, as a regular LUKS user, I'd like very much to be able to use my FIDO2 usb key as an additional security factor to unlock my disks.
- Likes 1
Leave a comment:
-
Originally posted by Vistaus View PostInteresting that he names ChromeOS separately. I mean: Android is up for discussion, but ChromeOS is underneath it all just a Gentoo spin, so that *is* true Linux.
Presumably ChromeOS doesn't need as much flexibility because there is much less variety of hardware, and therefore (2) is not a problem. So chromeos can ship signed initrfs. Perhaps windows solves it by having an secure extension system similar to what systemd has coming in v250. He points out that Fedora is working on signed initrfs too so maybe we are not so far away from a solution here.
The current situation sounds very dangerous for certain users; it would be hard to recommend Linux for people who are at risk of state-level attacks, and yet these are the people you'd most want Linux to be viable for.
Leave a comment:
-
I don't encrypt. My system is used for entertainment -- emails, youtube, articles. I have only my pseudo name , which I use for those accesses.
I do zero banking or purchases from any of my systems (2 laptops, one cellphone). I have someone do the online stuff, using one time credit cards.
Love those 1 time Credit cards.
Leave a comment:
-
Originally posted by Alliancemd View Post
It's always the most uninformed arguing against the experts of the industry...
Yes, it's unsafer on Linux, in case of a hacked device or somebody that has or had physical access to your device.
There are plenty of morons in "the industry". That is fine as there is a lot of... stuff when it comes to software and computer hardware.
Sure one is better to listen to experts, but Lennart is no expert in anything that i'v seen him talk about.
Leave a comment:
-
Bypassing firewall and making connections are spying, OK, tilde. What actual proofs do you have? Anyways, don't bother, I've asked you now four times to show something and you still have nothing.
Maybe you should start with the definition of "spying" because it surely looks like you've got it all mixed up. First, "DNS requests", then "firewall", in the end "connections". None of this comprises "spying". Anyways, here's the one: "Spying means surreptitiously extracting information from the target".
Windows, MacOS, iOS, Android and Chrome OS have not been proven to spy on the user. Also, you definitely know very little if anything about PR and law. If that was proven to be the case, the companies would be sued for billions of dollars in damages and their reputation would be forever tarnished.Last edited by birdie; 24 September 2021, 10:07 AM.
Leave a comment:
Leave a comment: