Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Complete disk encryption?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1364
Location: Fayetteville, NC, USA

PostPosted: Sun Mar 08, 2015 4:21 am    Post subject: Complete disk encryption? Reply with quote

I am reading the wiki article on disk encryption and follow it well, but I have a question. If I opt not to use a key-file and use a password, how would that work? Also, is it possible to require the key-file to be on a USB stick? I always keep mine with me and this would mean you would need my laptop AND USB stick to gain access to the system, on top of the root password, user password, or whatever.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2574

PostPosted: Sun Mar 08, 2015 4:27 am    Post subject: Reply with quote

You don't need a keyfile, of course you could store a keyfile one an external media as long as your init process can mount and read the media.

All you need to do is set a password instead of a keyfile. If you simply use cryptsetup luksFormat <device> it will prompt you to enter a password.

Of course, you can do both.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1364
Location: Fayetteville, NC, USA

PostPosted: Sun Mar 08, 2015 4:34 pm    Post subject: Reply with quote

Alright, if I enter a password, will it be possible to change the password in the future, such as on a schedule or if the unit is transferred to another employee? Also, how would thing work at that point? Would it boot to GRUB and then ask for a password or what?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
teefax
n00b
n00b


Joined: 14 Jan 2015
Posts: 11
Location: Germany

PostPosted: Sun Mar 08, 2015 5:31 pm    Post subject: Reply with quote

LUKS supports up to 8 key slots which you can add/change/remove at any time. That is, you can have e.g. one key that you hand over to your employer and up to 7 additional keys for each employee that requires access to the device.

In order be prompted for a password during startup you will need to generate an initramfs, e.g. with dracut or genkernel.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Sun Mar 08, 2015 6:45 pm    Post subject: Reply with quote

Note that if those employees had root access at any point, they might have obtained the master key, which would allow them access regardless of passphrase changes. Note also that the device is inaccessible if no one remembers a password (if your employee had an accident, or whatever) so in such a scenario that involves several people, there should be some plans as to how to handle unexpected circumstances.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13845

PostPosted: Sun Mar 08, 2015 7:07 pm    Post subject: Reply with quote

Also, anyone with the passphrase can unlock the device whether or not they finish the boot process, so they could unlock the device in a LiveCD and use that environment to grant themselves extra privileges on the installed system, or use it to extract data they otherwise cannot have on the raw system. In general, you should assume that anyone who has the decryption password and unsupervised physical access to the machine will have the same access that an unencrypted machine grants to someone with unsupervised physical access to the machine.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1364
Location: Fayetteville, NC, USA

PostPosted: Mon Mar 09, 2015 12:43 am    Post subject: Reply with quote

This isn't to keep IT guys out. This is in case the laptop is stolen or lost. The people who would fall into my position after my promotion would have no problem figuring a way around this, but if some retarded thug breaks in and snatches it, they're hosed and our client data is secure.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1364
Location: Fayetteville, NC, USA

PostPosted: Mon Mar 09, 2015 2:03 am    Post subject: Reply with quote

I just had an odd thought about this. If I encrypt the disk, would I be able to dual-boot 7 and Gentoo? I seriously doubt I would, but it would be neat if it was possible. Currently I run 7 64bit in VirtualBox, but I have a high-end Dell Latitude at home I game on when traveling, and it would be kind of cool to secure both systems. I use Gentoo for browsing and email, 7 strictly for gaming.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
chithanh
Developer
Developer


Joined: 05 Aug 2006
Posts: 2152
Location: Berlin, Germany

PostPosted: Mon Mar 09, 2015 5:41 pm    Post subject: Reply with quote

Yes, you can still dual-boot while the Gentoo part of your hard disk is LUKS encrypted.

Be aware that someone with control over the Windows 7 installation can use that to attack the Gentoo boot partition.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1746

PostPosted: Mon Mar 09, 2015 7:08 pm    Post subject: Reply with quote

Windows uses bitlocker, which is surprisingly similar to what truecrypt used to do (and it makes me a bit suspicious about tc being "deprecated"). I don't think those 2 are compatable, so if you encrypt the whole disk, you will only be able to use one of those.
On the other hand, TC used work with both, windows and linux so it might be possible. And it might be possible if you partition it and encrypt different partitions with different tools.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum