Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Need help to build a fully encrypted system
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
C5ace
Apprentice
Apprentice


Joined: 23 Dec 2013
Posts: 277
Location: Brisbane, Australia

PostPosted: Tue Dec 29, 2015 1:38 am    Post subject: Need help to build a fully encrypted system Reply with quote

I want to install Gentoo as a fully encrypted system, including encrypted /boot partition.

The requirements are:
NO: USB, LVM, UEFI. EFI dualboot.
Boot manager: preferably no boot manager or grub-static / Lilo boot from MBR.
Init system: rc-init.
Partitioning: fdisk, primary partition is /boot, extended partitions are swap, / and /home. All with EXT4 file system.

The boot process should ask for the file system pass-phrase before booting the system. Then boot and ask as normal for the user login name and password.

Can this be done with Gentoo?


I tried various How To's” with VirtualBox, using LVM, Grub2, non of them worked. The only one that worked was using Opens Suse 42.1 with LMV, Grub2, with SHA1 and a USB Boot Disk and after completing installation moving the consent of the USB Boot Disk to /boot, like Redhat instructions.


The system is to replace a very old (about 1995) DOS box with a fully encrypted hard disk. The encryption software apparently worked like a boot sector virus and intercepts the INT 13 and INT 40?? to encrypt and decrypt the sectors or tracks read from or written to by MS-DOS. The pass-phrase is used to generate a 512 Byte key for Floppy sector access and a 4096 Byte key for Hard-disk cluster access.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2574

PostPosted: Tue Dec 29, 2015 2:31 am    Post subject: Reply with quote

Impossible. You have to have something unecrypted in order to boot. If you want the entire system encrypted that would be on a USB drive. Otherwise it would be /boot. This is true of every system including your DOS one. How can you possibly run something your can't read?

You can always add a check to make sure your kernel/initramfs is clean if you are really paranoid.

Your requirement for no UEFI or EFI and no boot manager stand in direct opposition as they are the software which allow it.

In any case, the tool you are looking for is LUKS. https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
likewhoa
l33t
l33t


Joined: 04 Oct 2006
Posts: 777
Location: Brooklyn, New York

PostPosted: Tue Dec 29, 2015 5:58 pm    Post subject: Reply with quote

If you plan on having a fully encrypted system then you must not keep /boot on the drive and instead put the contents of /boot inside a usb stick that will act as your bootloader using extlinux. For the partition schema, I would use ZFS or LVM on LUKS because you don't really want to decrypt multiple partitions but instead do the decryption on one large pool (zfs) and or a lvm2 volume.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2574

PostPosted: Tue Dec 29, 2015 9:07 pm    Post subject: Reply with quote

Quote:
For the partition schema, I would use ZFS or LVM on LUKS because you don't really want to decrypt multiple partitions but instead do the decryption on one large pool (zfs) and or a lvm2 volume.
In fairness you can also set the init to decrypt the other partitions using a key file stored in the root partition fairly easily if you don't want to mess with ZFS or LVM.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
user
Tux's lil' helper
Tux's lil' helper


Joined: 08 Feb 2004
Posts: 145

PostPosted: Tue Dec 29, 2015 10:46 pm    Post subject: Reply with quote

Impossible. Bootloader code must be uncrypted in order to bootstrapped by (trusted) BIOS.

But you can differ between full encrypted device (looks like wiped device from stranger POV) and trusted boot device like usb drive.

Encrypted device can unattended located in hostile environment
but boot device and system hardware depends on your paranoid level should never left unsupervised at no time.

System hardware becomes smaller and smaller carry it on at all time becomes possible. Key cards with own keyblock becomes available.
From 1995 to now we have only diversified Open Source but working Open Hardware would still a long way to go.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43178
Location: 56N 3W

PostPosted: Wed Dec 30, 2015 9:53 am    Post subject: Reply with quote

C5ace,

Grub can be made to ask for a password. The password in stored as a password hash in the config file.
Grubs code, the kernel and initrd are not and cannot be encrypted because something that does not understand the encryption has to read them.

If you really need only encrypted things on the HDD, /boot can be on a USB stick, which can be removed once the system boots.
/boot is never mounted for the boot process, so you can just pull it out.

The (hardened) kernel can be set up to ignore any USB devices not present at boot too, in case you are worried about something else being attached later.

What threat are you attempting to guard against?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Wed Dec 30, 2015 11:43 am    Post subject: Reply with quote

NeddySeagoon wrote:
What threat are you attempting to guard against?

... the dreaded lurgi ;)
Back to top
View user's profile Send private message
C5ace
Apprentice
Apprentice


Joined: 23 Dec 2013
Posts: 277
Location: Brisbane, Australia

PostPosted: Wed Dec 30, 2015 10:04 pm    Post subject: Reply with quote

The perceived threat are commercial & government interests with full access to government resources and agencies, including break and enter, search with and without out warrant, theft or confiscation of equipment, possible kneekapping.

I have OpenSuse 42.1 installed in VirtualBox and boot from an encrypted single LVM volume on a MSDOS drive, single partition, using grub2 as boot manager and systemd.

I just have to find a way to get the same result using Gentoo with OpenRC and if possible without LVM. Entering the pass phrase several times is no problem.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5761

PostPosted: Thu Dec 31, 2015 3:13 am    Post subject: Reply with quote

Install libreboot, along with a payload containing everything necessary to boot from encrypted disks.

If you're that paranoid then this is the only option on x86. The other alternative is to buy sane hardware that doesn't contain backdoors in the firmware to begin with.
Back to top
View user's profile Send private message
C5ace
Apprentice
Apprentice


Joined: 23 Dec 2013
Posts: 277
Location: Brisbane, Australia

PostPosted: Thu Dec 31, 2015 3:52 am    Post subject: Reply with quote

Ant P. wrote:
Install libreboot, along with a payload containing everything necessary to boot from encrypted disks.

If you're that paranoid then this is the only option on x86. The other alternative is to buy sane hardware that doesn't contain backdoors in the firmware to begin with.


The hardware used has no backdoors in the BIOS, Network Card or Hard Drive. If any, they are irrelevant when using fully encrypted drives in virtual maschines. An attacker may be able to access and decrypt the host drive. Never the virtual drive.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5761

PostPosted: Thu Dec 31, 2015 5:08 am    Post subject: Reply with quote

C5ace wrote:
The hardware used has no backdoors in the BIOS, Network Card or Hard Drive. If any, they are irrelevant when using fully encrypted drives in virtual maschines. An attacker may be able to access and decrypt the host drive. Never the virtual drive.

So you've audited the (possibly RSA-encrypted) microcode running on your host CPU?

And you've taken steps to ensure they can't simply pluck your plaintext keys out of RAM with a warm boot attack? Or even more simply, by pwning the host OS through one of its many *front* doors and dumping /dev/mem with all the VM's decrypted disk contents sitting in VFS cache?

These are all things you will need to address with the threat model specified.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43178
Location: 56N 3W

PostPosted: Thu Dec 31, 2015 11:11 am    Post subject: Reply with quote

C5ace,

You need to start by building your hardware out of individual transistors.
You might be able to go as far as small scale integration, that you can audit with a microscope.

Anything bigger, you have no idea what is inside it and what backdoors it will introduce.
You cannot use modern RISC CPUs (that includes x86) as you have no idea what the microcode does.
You cannot use many modern pereriphials as they are all computers in their own right and may contain their own threats.
e.g. Hard drives, USB devices, CDROMs, flat panel displays.

You are back to something like an APPLE ][. Even then, I have my doubts if you can audit the the 6502 CPU adequately.
Even with a CRT display (no computers), you need to guard against TEMPEST.

Did you know that your typing can be picked up from the sounds made by the keyboard and the screen read by the reflections in your glasses?
Of course, these are short range attacks.

Modern hard drives can do full disk encryption on their own. Unless you give it a pass phrase, it won't talk to you.
Six failed attempts and it does a full auto erase ... but would you trust it ... with your threat model, not a chance.
This is used to good effect against consumers. Try putting a bigger HDD in a games console.

The government won't even bother with an attack. They will just wisk you off to Guantanamo bay and have the experts extract your secrets.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 215

PostPosted: Thu Dec 31, 2015 4:19 pm    Post subject: Reply with quote

So true, there is no complete protection from an omnipotent attacker.

But what would be the most realistic approach to ensure a high enough burden / cost for this attacker in such a scenario and how would that be best accomplished within gentoo?

I think that is the question we should strive to answer...
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43178
Location: 56N 3W

PostPosted: Thu Dec 31, 2015 5:36 pm    Post subject: Reply with quote

mas-,

To defend from a government, you need a bigger government on your side.
Even unplugging the ethernet cable is not good enough. A government has the resources to get at your data no matter how its stored.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 215

PostPosted: Thu Dec 31, 2015 9:18 pm    Post subject: Reply with quote

If you are specifically targetted and considered important enough then nothing will help, of course.

But as even Snowden keeps pointing out - holding up a certain burden / cost factor for those interested is the single most effective measure. And that is done by cryptographic means. Which are still effective albeit not in an absolute fashion.

Personally I use - thats my version of reasonable protection:

1) An unencrypted root with a kernel that has an initrd and the kernel command line build in
2) A second encrypted partition using LUKS and btrfs for the rest.

This is booted from the EFI bios directly into the efistub kernel, which runs the initramfs that in turn asks for the password and unlocks the whole OS / data.

This can be broken of course, one would need to

1) Have physical access to the harddrive
2) Have enough time to temper with it
3) Have the expertise to extract the initramfs and build a backdoor/keylogger into it
4) Place it back without me noticing
5) Wait till I unlock it once, then it is wide open

Or alternatively place a hidden camera well enough and then steal the thing after the password is known. But for me it is enough this way as this should hold up for the normal cases:

It will be enough to protect from the occasional burglar as well as from normal law enforcement. Which is for me more than enough, I do not even expect having to deal with the latter, but it is nice to be no "open book" in general.

If one needs higher fences one could step up the burden by using hash functions over the boot partition stored inside the encrypted container. This way someone tempering with the partition will raise an alarm (even though it may be too late). Using two factor authorization might even detect a tempered boot before the password is entered. And so forth. The question is how far does one reasonably want to go. It is the usual trade off between comfort and security.

What is an unfortunate fact is that these things are quite a bit of work to implement with gentoo. But it can all be done and as gentoo does not really provide "out-of-the-box" solutions it would be complicated for someone wanting to temper with it.

P.S.: It is in the end no different to protecting your bike or your appartment / house against burglars. You can never prevent the expert from screwing your stuff up, but if you make the burden high enough for 98% of the "everyday Joes" then you are very likely to be left alone. And the security level should be adjusted to the worth of the bike / house of course.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43178
Location: 56N 3W

PostPosted: Thu Dec 31, 2015 10:41 pm    Post subject: Reply with quote

mas-,

Exactly. Assess the threat, then employ security measures to make it clear to your would be attackers that they should go and attack someone else.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Twenty_Four
n00b
n00b


Joined: 10 Apr 2015
Posts: 9

PostPosted: Sat Jan 02, 2016 2:12 am    Post subject: Reply with quote

Maybe not exactly what you're looking for, but worth a read anyhow.

http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
http://www.phoronix.com/scan.php?page=news_item&px=Linux-GRUB2-Encrypt-Boot
http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/

Those 'guides' are for Arch and Fedora but can be applied to Gentoo fairly easily.
Back to top
View user's profile Send private message
otakugeek
n00b
n00b


Joined: 26 Jun 2014
Posts: 50

PostPosted: Wed Jan 06, 2016 3:27 am    Post subject: Reply with quote

take a look :> http://www.funtoo.org/Rootfs_over_encrypted_lvm
Back to top
View user's profile Send private message
jonathan183
Guru
Guru


Joined: 13 Dec 2011
Posts: 309

PostPosted: Sun Jan 10, 2016 2:31 pm    Post subject: Reply with quote

It might also be worth taking a look at https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3383

PostPosted: Sun Jan 10, 2016 5:18 pm    Post subject: Reply with quote

You may be able to buy your way into this one.

FDE hard drive. Everything will be encrypted, including /boot. The hitch is whether your BIOS supports it. I had this working with a Thinkpad and Lenovo FDE hard drive. (Then company policy changed, and this was no longer acceptable, so I had to move to software encryption, with a "recoverable key". FDE was too secure.)

I have heard that some FDE hard drives really aren't as secure as it might sound, so this might take some research. And, as I said, BIOS support.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum