Announcement

Collapse
No announcement yet.

Lennart: Linux Comes Up Short Around Disk Encryption, Authenticated Boot Security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #91
    Originally posted by Alliancemd View Post

    It's always the most uninformed arguing against the experts of the industry...
    Yes, it's unsafer on Linux, in case of a hacked device or somebody that has or had physical access to your device.
    "Experts of the industry"
    There are plenty of morons in "the industry". That is fine as there is a lot of... stuff when it comes to software and computer hardware.
    Sure one is better to listen to experts, but Lennart is no expert in anything that i'v seen him talk about.

    Comment


    • #92
      I don't encrypt. My system is used for entertainment -- emails, youtube, articles. I have only my pseudo name , which I use for those accesses.
      I do zero banking or purchases from any of my systems (2 laptops, one cellphone). I have someone do the online stuff, using one time credit cards.
      Love those 1 time Credit cards.

      Comment


      • #93
        Originally posted by Vistaus View Post
        Interesting that he names ChromeOS separately. I mean: Android is up for discussion, but ChromeOS is underneath it all just a Gentoo spin, so that *is* true Linux.
        The common factor of the worst aspects of the current mainstream linux distribution weaknesses is the unsigned initrd because currently an initrd can't be both (1) signed and (2) flexible enough for real-world linux. If I read it correctly, it seems that secure boot for mainstream linux distributions is essentially useless. I can see why the situation is "sad".

        Presumably ChromeOS doesn't need as much flexibility because there is much less variety of hardware, and therefore (2) is not a problem. So chromeos can ship signed initrfs. Perhaps windows solves it by having an secure extension system similar to what systemd has coming in v250. He points out that Fedora is working on signed initrfs too so maybe we are not so far away from a solution here.

        The current situation sounds very dangerous for certain users; it would be hard to recommend Linux for people who are at risk of state-level attacks, and yet these are the people you'd most want Linux to be viable for.

        Comment


        • #94
          Originally posted by cynic View Post
          my data are definitely not worth such complex attacks described by Lennart so I'm reasonably sure that won't happen to me.
          anyway, as a regular LUKS user, I'd like very much to be able to use my FIDO2 usb key as an additional security factor to unlock my disks.


          I recently enabled my FIDO2 key to unlock at boot on gentoo. It's a night and day difference. Integration into an installer would be trivial, so I can see it coming.

          Comment


          • #95
            Originally posted by mangeek View Post
            As a former enterprise Endpoint Admin and now an ITSec person, I'm not sure there is a way for me to run Linux and meet my own organization's industry-standard security policies. Is there a way for me to easily enroll a Linux desktop or server into a system that escrows a break-glass key for the full-disk encryption?
            Yes, but it's not quite ready on mainstream distros. systemd-cryptenroll supports TPM but the integration isn't tied into updates with the package managers yet. cryptsetup similarly has to be a new enough version to support it. And it also works with FIDO2 devices if one would prefer to rely on that vs the TPM module.

            It also does support a "recovery key", or really any extra key you can enroll with LUKS2, that you could keep as a backup.

            Comment


            • #96
              Originally posted by fuzz View Post

              I recently enabled my FIDO2 key to unlock at boot on gentoo. It's a night and day difference. Integration into an installer would be trivial, so I can see it coming.
              cool! I wasn't aware this feature was already supported.
              I'm gooing to google some doc right now, thanks!
              Last edited by cynic; 25 September 2021, 02:20 AM.

              Comment


              • #97
                Originally posted by cynic View Post

                cool! I wasn't aware this feature is already supported!
                I'm gooing to google some doc right now!

                thanks!
                It needs a really recent version of systemd-cryptenroll and cryptsetup. For example, Fedora 34 has the former but not a new enough version of the latter. I imagine Fedora 35 beta might support it.

                Also on Gentoo I could only get it working with dracut for my initramfs. The Arch wiki docs are similarly useful.

                Comment


                • #98
                  Originally posted by fuzz View Post

                  It needs a really recent version of systemd-cryptenroll and cryptsetup. For example, Fedora 34 has the former but not a new enough version of the latter. I imagine Fedora 35 beta might support it.

                  Also on Gentoo I could only get it working with dracut for my initramfs. The Arch wiki docs are similarly useful.
                  oh, ok!
                  i'm running Fedora 34 on the machine I wanted to test it on. I guess I'll have to wait for the next week when I (hopefully) will upgrade to F35 beta
                  thanks again for the hints!

                  Comment


                  • #99
                    Authenticating the initrd to the kernel to the bootloader to the firmware to the hardware is utterly pointless, if you cannot authenticate the hardware and the physical environment to the user. Otherwise your cryptographic rube-goldberg machine is easily undone by a physically identical laptop or something as universal as a camera in view of your keyboard. The best you can hope to achieve with TPM is making the physically identical laptop attack a one-time attack that you might realize has occurred after your password fails to decrypt your data. (But the adversary is allowed to make that look like mundane disk failure.)

                    Comment


                    • Originally posted by tildearrow View Post
                      Thing is I never carry any device at all when going outside because there is a lack of security in my country, but that's another issue.
                      so your devices are unsafe when you leave them at home

                      Comment

                      Working...
                      X