Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Full Disk Encryption WITHOUT Initramfs or Grub
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Thu Apr 02, 2020 12:33 am    Post subject: Full Disk Encryption WITHOUT Initramfs or Grub Reply with quote

How to (Secure-) Boot the kernel straight from UEFI(-bios) into a fully encrypted root-partition with plain dm-crypt encryption without using initramfs/initrd or grub. This was not possible so far. Now we have the new kernel(-module) parameter "dm-mod.create=" (dm_init).

Objective:
* Secure using the new parameter for built-in dm-crypt-functionality
* With a SSD it must not happen to save the masterkey into a file on it (even with a hd you cant really wipe a file when using a journaled filesystem). This means it is required to save the masterkey into RAM (=tmpfs) or to a stick. (I used a stick because we have to save the key in any case).

I have:
* A working Gentoo Installation on /dev/sda4 as root (containing home also) with a monolithic (signed) stub-kernel in /boot/EFI/Boot (/dev/sda2)
* An empty partition (/dev/sda5) for my new fully encrypted root partition
* An USB-Stick for the final kernel (and the masterkey if no second stick available)
You:
* MUST have openRC; (I dont know anything about systemd)
* needn't have a monolithic signed kernel; just a working kernel

Here is my course of action:
Code:
- boot with "Gentoo minimal CD" (I used version 2020-03-15)
! be fast with input 12 for german keyboard (or you boot again :-)
# clear
# ls /sys/firmware
! check if /sys/firmware/efi exists -> yes -> ok, it was really an uefi boot
# mkdir -p /mnt/stick
- connect your properly fat32-formatted stick (if not formatted see chapter "format stick" later)
# lsblk
! check if /dev/sdb is really your stick; (probably it is /dev/sdc or /sdd if you have more than one hd or ssd; then use this instead of sdb1 in the next command)
# mount -t vfat /dev/sdb1 /mnt/stick
# mkdir /mnt/old
# parted /dev/sda p
! be sure you are using the correct root partition; (my old root-partition is sda4; again, use your old root-partition instead in next command)
# mount -o ro /dev/sda4 /mnt/old
# mkdir /mnt/cr
! "cr" means crypt-root; (its just a name; of course you can use what you want)

Now we are ready to (a) create a random generated masterkey and setup the new root partition, (b) copy the old root partition into the new encrypted root partition, (c) compile the kernel with the new parameter in the kernel command line and (d) edit our fstab:
Code:
! (a)
# dd if=/dev/random of=/mnt/stick/mkey bs=1 count=64
! again, check your partitions and use yours instead of my sda5
# cryptsetup -d /mnt/stick/mkey -c aes-xts-plain64 -s 512 --allow-discards create cr /dev/sda5
! type YES in uppercase letters
# umount /mnt/stick
# mkfs.ext4 -E discard /dev/mapper/cr
# mount /dev/mapper/cr /mnt/cr
! (b)
# rsync --stats --progress --numeric-ids -axAhHSP  /mnt/old/ /mnt/cr
... have a coffee
# umount /mnt/old
! (c)
# mount -t proc /proc /mnt/cr/proc
# mount --rbind /sys /mnt/cr/sys
# mount --rbind /dev /mnt/cr/dev
# cd /mnt/cr
# chroot /mnt/cr /bin/bash
# . /etc/profile
! now we are in our encrypted new root and we should give root a new password ->
# passwd
# cd /usr/src/linux
# make menuconfig
! now memorize your secret master key to be able to put it into the built-in kernel command line ...
... joke
- select "Processor type and features" and then the line under "Built-in kernel command line"
- You should be now in "Built-in kernel command string". Type in
> dm-mod.create="cr,,,
- press ALT-F2 and type the following command
# dmsetup table --concise --showkeys /dev/mapper/cr
! mark the whole line beginning with "rw,0..." (so the first marked character is r)
- press ALT-F1 - you are now back in the kernel configuration menu
- insert with your mouse the whole bunch of your marked line; See example below
- type the closing " character behind allow_discards (I mean this->   "     )
- type a blank and add
> root=/dev/dm-0
- go back to x:x this is major:minor of your root partition, add 16 to minor or not; read now below !!
- dont forget the other settings for efi stub; See example below
- save and exit
# make
- take a second USB-Stick and connect it or use the first stick again
# mkdir -p /mnt/stick
# mount -t vfat /dev/sdb1 /mnt/stick
# mkdir -p /mnt/stick/EFI/BOOT
# cp arch/x86/boot/bzImage /mnt/stick/EFI/BOOT/bootx86.efi
# umount /mnt/stick
! (d)
! you should use label or UUID in your fstab (because if you boot from a stick, it become sda and your disk is now sdb)
# nano -w /etc/fstab
- change your entry for the root partition to this
> /dev/dm-0 / ext4 defaults,noatime  0 1
> PARTLABEL=swap none swap sw 0 0
# exit
# reboot
---
- press your BIOS' favorite key to get into bios boot override and select the stick for booting
.. pray

Kernel-Config:
Code:
Processor type and features  --->
[*] EFI runtime service support
[*]   EFI stub support
[*] Built-in kernel command line
(dm-mod.create="cr,,,rw,0 [size] crypt aes-xts-plain64 [your long masterkey in hex] 0 x:x 0 1 allow_discards" root=/dev/dm-0) Built-in kernel command string
[*]   Built-in command line overrides boot loader arguments

Device Drivers --->
[*] Multiple devices driver support (RAID and LVM)  --->
 [*]   Device mapper support
 [*]     Crypt target support
 [*]     DM "dm-mod.create=" parameter support

Cryptographic API --->
 [*]   XTS support
 [*]   SHA1 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)
 [*]   SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)
 [*]   SHA512 digest algorithm (SSSE3/AVX/AVX2)
 [*]   SHA224 and SHA256 digest algorithm
 [*]   AES cipher algorithms
 [*]   AES cipher algorithms (AES-NI)
 [*]   User-space interface for hash algorithms
 [*]   User-space interface for symmetric key cipher algorithms

I dont recommend to put your kernel into the boot partition at your hd or ssd. If you loose your notebook, you maybe be safe against script kiddies. But not for an expert, examining your unencrypted kernel in this partition. Removing the key (=stick) is the most secure way to protect your data on your encrypted root partition.

At first I had a kernel panic with:
device-mapper: table: 253:0 crypt: Device lookup failed
device-mapper: ioctl: error adding target to table

The reason was simple (it took me hours) ... When booting with a stick, it become /dev/sda and my SSD became /dev/sdb. But in kernel was 8:5 (major/minor) of my SSD-partition 5, when it was sda. After booting with the stick, partition 5 of my SSD is then 8:21. So I had to go into my encrypted partition and changed (via make menuconfig) this setting in the kernel command line. So, THINK, if you want to put your new kernel into the boot partition of your ssd (I dont recommend) then you must not add 16, because there is no change of the minor nr.

Edit 2022-07-07: The same is NOT true if you have your root partition on a NVMe. Here you have no changes of your major/minor number because nvme uses major/minor-number 259:x and booting from a stick will NOT change this (so, please DONT add 16 to your device numbers) (see also posts from @storopoli below).


Create a bootable USB Stick:
Code:
- connect your USB stick
# lsblk
! check if /dev/sdb is really your stick; (probably it is /dev/sdc or /sdd if you have more than one hd or ssd; then use this instead of sdb1 in the next command)
# parted -a optimal /dev/sdb
> p
! if any delete with "rm X"
> mklabel gpt
> unit mib
> mkpart primary 1 128
> name 1 boot
> set 1 boot on
> q
# mkfs.fat -F 32 /dev/sdb1
! setting "boot on" is important to get the ESP flag for this partition, so UEFI can find the kernel in it
! of course you can make more partition and use them


List of Links I used
https://www.redhat.com/archives/dm-devel/2019-February/msg00108.html
https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-init.html
https://gitlab.collabora.com/koike/dm-cmdline-test/-/blob/master/dm-cmd-test.sh
https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt
https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions
https://www.thenautilus.net/SW/gentoo-luks-secureboot/
http://man7.org/linux/man-pages/man8/dmsetup.8.html#CONCISE_FORMAT
https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption
https://wiki.gentoo.org/wiki/Dm-crypt


Last edited by pietinger on Thu Jul 07, 2022 1:00 am; edited 7 times in total
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 259

PostPosted: Thu Apr 02, 2020 9:05 pm    Post subject: Reply with quote

This sounds interesting, but is there an option to get this going via a password prompt, using dm-crypt luks?

Currently I use such a setup with an initramfs.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Thu Apr 02, 2020 10:38 pm    Post subject: Reply with quote

msst wrote:
[...]via a password prompt, using dm-crypt luks?

Oh, we are prompting for a password ... at your login.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22796

PostPosted: Fri Apr 03, 2020 1:35 am    Post subject: Reply with quote

Prompting for a login password is too late. The drive has already been unlocked, and the only thing protecting it is that the system is hopefully not compliant until a password is entered. However, I don't see anything in your instructions to prevent an attacker simply adding init=/bin/sh to the kernel's command line, and then bypassing the getty challenge entirely.

The security of this method appears to turn entirely on preventing an attacker from obtaining a copy of the kernel, since the kernel can and will boot to an unlocked state without user intervention. Systems built around requiring a user password to unlock a LUKS volume turn on the quality of the user's LUKS password.
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 259

PostPosted: Fri Apr 03, 2020 6:13 am    Post subject: Reply with quote

Quote:
Systems built around requiring a user password to unlock a LUKS volume turn on the quality of the user's LUKS password.


Correct. The initramfs prompts for the password and unlocks root, then later the root partition (encrypted) contains the master key to unlock a data partition without password. So the key is that the kernel has to prompt for the password for this new kernel option to be useful.
Back to top
View user's profile Send private message
axl
Veteran
Veteran


Joined: 11 Oct 2002
Posts: 1146
Location: Romania

PostPosted: Fri Apr 03, 2020 7:13 am    Post subject: Reply with quote

Hu wrote:
Prompting for a login password is too late. The drive has already been unlocked, and the only thing protecting it is that the system is hopefully not compliant until a password is entered. However, I don't see anything in your instructions to prevent an attacker simply adding init=/bin/sh to the kernel's command line, and then bypassing the getty challenge entirely.

The security of this method appears to turn entirely on preventing an attacker from obtaining a copy of the kernel, since the kernel can and will boot to an unlocked state without user intervention. Systems built around requiring a user password to unlock a LUKS volume turn on the quality of the user's LUKS password.


If you take a look at the proposed solution, you will notice he is loading the kernel directly as an efi shell, therefor there is no place to add arguments to the kernel. Never the less, you are not wrong. The kernel can be disassembled and the key can be extracted from the command line. Not to mention it will show up in dmesg in hex for every user to look at it, therefor removing the need for a key.

What you have here is a useless layer of encryption which only serves to slow your system down, because it adds no extra security.

For a security lock to work, you need to put the key as far away from the lock as possible. Systems which are encrypted are not supposed to be convenient. If they have the key inside the thing that is booting, then the encryption is useless. That was the whole point to begin with. They are not supposed to start unsupervised. That is the point. Only the guy with the key can turn these on/off. If this machine works without the key... why did you need the lock in the first place?
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3924

PostPosted: Fri Apr 03, 2020 9:15 am    Post subject: Reply with quote

What is the benefit in general of not using an initramfs?
Is it faster booting?
Thanks
:D
Back to top
View user's profile Send private message
tbart
Apprentice
Apprentice


Joined: 31 Oct 2004
Posts: 151

PostPosted: Fri Apr 03, 2020 10:38 am    Post subject: Reply with quote

Well, i mostly do the same (no grub, booting from EFI directly) but with an initramfs.
But this initramfs is included in the kernel, so I don't need any unencrypted partition (except the EFI one which you need anyway) on my disk.
The whole disk is LUKS encrypted using a password, no key or plaintext password for data partitions needed. If you like, use a USB stick. Or whatever scheme LUKS supports.

The build process is streamlined using a little script that does all that's necessary (building kernel, initramfs, including it into the kernel, copying it to the efi partition, updating boot entries)

Regarding speed:
Is 12s (excluding password input) to graphical login fast enough (this is a notebook, not a high end workstation/server)?

I like the flexibility of having an initramfs to e.g. include an SSH server or other stuff, should I ever need it, and frankly, a mere 20M kernel size is OK for me! Mounting a LUKS volume in another PC or recovery environment also seems easier to me...
Back to top
View user's profile Send private message
axl
Veteran
Veteran


Joined: 11 Oct 2002
Posts: 1146
Location: Romania

PostPosted: Fri Apr 03, 2020 10:47 am    Post subject: Reply with quote

USB stick is a good solution. As long as you don't leave it hanging around to be stolen.

pxe (tftp/dhcp) boot also works ok. I prefer this solution. The tftp server which has/holds the kernels/initramfs files/key files is a small raspberry pi I keep secured and offline and under locking key. I only connect it to the switch when I need to reboot something or update a kernel. Connect it, update, boot, disconnect.

EDIT: the reason I had to resort to this solution is because some of my systems are headless. None the less, even so, the key is not always bundled on the tftp server. I use that design for 1 of the servers, but not the others. I have to manually ssh (within the initramfs) to unlock the disk manually with password and then let the boot continue. I feel the last of the solutions is most secure, but kinda inconvenient. Not sure how I will move forward with these, but never the less I feel pxe booting allows for some flexibility.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22796

PostPosted: Sat Apr 04, 2020 12:54 am    Post subject: Reply with quote

axl wrote:
If you take a look at the proposed solution, you will notice he is loading the kernel directly as an efi shell, therefor there is no place to add arguments to the kernel.
Some EFI implementations allow the operator to drop into an interactive EFI shell, and from there to execute EFI programs (including Linux kernels) with user-chosen arguments appended. If the firmware is not locked, the operator could also try to create a new boot entry that always passes init=/bin/sh, avoiding the need to use the full EFI shell.
Back to top
View user's profile Send private message
axl
Veteran
Veteran


Joined: 11 Oct 2002
Posts: 1146
Location: Romania

PostPosted: Sat Apr 04, 2020 7:42 am    Post subject: Reply with quote

Even if firmware is locked, you could still move the drive to a system where the firmware is not locked. Or you could reset the firmware. Remove the battery. Remove the drive.

I think, most types of bios/firmware, even if locked with password, even if boot options have been limited (i.e. only boot from this disk), will try to boot other medium regardless. NOT ALL, but some. I tried. Set up boot... only boot this thing, remove that thing, and add another thing. Bios says... ohhh that thing is gone, maybe I'll try this other thing. And this is why I don't like USB devices.

What I learned in the past few years is that you can't trust manufacturers to do a proper firmware. On the other hand, if things were done properly, I would have been locked out of my systems several times over the last decade. :)

Anyway, thanks for that clarification. Now I'm curious how many of my systems actually implemented a full efi shell. Thanks for giving me something to do :)
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Sat Apr 04, 2020 10:19 am    Post subject: Reply with quote

Hu wrote:
The security of this method appears to turn entirely on preventing an attacker from obtaining a copy of the kernel,[...]

axl wrote:
For a security lock to work, you need to put the key as far away from the lock as possible.

Yes, hence I said the kernel must reside on a stick ... and only I am in the posession of it. When only I have the stick, the attacker would be myself. (and of course I use secureboot also)

However I would like to have a secure system beeing able to boot from disk (without tons of layers) instead of a stick. The minimum I need would be at first SecureBoot (I already have; I wrote a small guide in german: https://forums.gentoo.org/viewtopic-t-1109672.html). But the second thing I need I am still working/searching on:
At runtime I can create a mapping with dmsetup using a key in the kernel keyring (e.g.: "dmsetup create cr --table "0 $(blockdev --getsz /dev/sda5) crypt aes-xts-plain64 :64:user:mkey 0 /dev/sda5 0" which I can create before with: "dd if=/dev/random bs=1 count=64 status=none | keyctl padd user mkey @s"). But I need a key at boottime from EFI (or TPM). Until now I only managed to get my own (db-)certificate in the keyring ".platform". At the moment I check if there are options with IMA or/and EVM.
Back to top
View user's profile Send private message
storopoli
n00b
n00b


Joined: 06 Jul 2022
Posts: 2
Location: 23.3S 46.4W

PostPosted: Wed Jul 06, 2022 5:34 pm    Post subject: Update for a NVMe? Reply with quote

Dear @pietinger,

Thank you for the detailed guide.
I am having issues trying to do this in my laptop that has a NVMe instead of SSD.
The root partition is /dev/nvme0n1p3:

Code:

nvme0n1

├─nvme0n1p1
│    vfat               REDACTED                               224M    25% /boot
├─nvme0n1p2
│    swap               REDACTED                [SWAP]
└─nvme0n1p3
     crypto             REDACTED
  └─luks-REDACTED
     btrfs              REDACTED  800.4G    13% /


So we don't have /dev/sda /dev/sdb and so on.
Even booting from a live USB it displays the NVMe as nvme0n1

This is the output of my dmsetup table command:

Code:

luks-REDACTED: 0 1944487311 crypt aes-xts-plain64 :64:logon:cryptsetup:REDACTED 0 259:3 32768
[quote][/quote]


So my major block is 259 and my minor block is 3.

Do I need to add 16 to the minor as well?

Here is the dm.mod-create command that I am using:

Code:

dm-mod.create="cryptroot,,,rw,0 [size] crypt aes-xts-plain64 [your long masterkey in hex] 0 259:19 0 1 allow_discards" root=/dev/dm-0


And the /etc/fstab:

Quote:

/dev/dm-0 / btrfs compress=zstd9,relatime,rw 0 1


I am not having success with this setup.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Wed Jul 06, 2022 6:41 pm    Post subject: Reply with quote

Dear storopoli,

first of all: I havent tested it with btrfs (because I dont use it), but it should work with btrfs because dmcrypt is a layer below these filesystems. dmcrypt must know which partiton (of block device) is has to use and therefore needs major and minor number of it (and sorry for my poor english).

storopoli wrote:
So my major block is 259 and my minor block is 3.

Do I need to add 16 to the minor as well?

Here is the dm.mod-create command that I am using:

Code:

dm-mod.create="cryptroot,,,rw,0 [size] crypt aes-xts-plain64 [your long masterkey in hex] 0 259:19 0 1 allow_discards" root=/dev/dm-0


No, please dont add 16 ! This is only necessary when using a SCSI/SSD harddisk as root partition, because these are using block numbers starting with major device 8 (https://www.kernel.org/doc/Documentation/admin-guide/devices.txt) and becomes /dev/sda (or sdb or ...) AND usb sticks do ALSO using this major device ... :-(

Your nvme has 259 and it can never change => it is independant if there is an usb stick or not. So 259:3 can never change and you have to use this number.

As far as I understand you are using luks (or have used it). I dont think this will work (but really dont know). Yes, luks is using dmcrypt (it is on top of it), but plain dmcrypt dont understand luks containers. Here I cant help because I use only plain dmcrypt and have never made an encrypted partition with luks.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54615
Location: 56N 3W

PostPosted: Wed Jul 06, 2022 7:36 pm    Post subject: Reply with quote

pietinger,

dm-mod.create= does work, I use it because I'm lazy. :)
I really need to create an initrd.

It's very fragile. If the size of the logical volume changes, the dm-mod.create= entry on the kernel command line needs to change or the the box will be unbootable.
It can describe a logical volume spanning several disjoint extents. The idea of keeping it up to date makes my head hurt.

device-mapper is not at all happy about finding one logical volume is use when it tries to start the rest either ... but it works.

/usr/src/linux/Documentation/admin-guide/devices.txt:

  259 block      Block Extended Major
                  Used dynamically to hold additional partition minor
                  numbers and allow large numbers of partitions per device

So the device minor numbers are dynamically allocated. That can and does create booting problems.

At least with grub once you know the new number, its possible to edit the kernel command line at boot time.

All in all, its an interesting curiosity but its not robust, so I would not recommend it.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
storopoli
n00b
n00b


Joined: 06 Jul 2022
Posts: 2
Location: 23.3S 46.4W

PostPosted: Wed Jul 06, 2022 8:14 pm    Post subject: Reply with quote

So that means that with NVMe, i.e. block 259, the device minor is not guaranteed to have the same number, so this creates boot problems?
I don't have a USB stick to test it right now.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Wed Jul 06, 2022 8:36 pm    Post subject: Reply with quote

storopoli wrote:
So that means that with NVMe, i.e. block 259, the device minor is not guaranteed to have the same number, so this creates boot problems?

No. The opposite is true: Because there is no mismatch / dependency with an usb stick when using a nvme (instead a ssd/scsc) both numbers - major+minor - will not change.

NeddySeagoon wrote:
It's very fragile. If the size of the logical volume changes, the dm-mod.create= entry on the kernel command line needs to change or the the box will be unbootable.
[...]
All in all, its an interesting curiosity but its not robust, so I would not recommend it.

Neddy, at this time (kernel is booting and starting dmcrypt and giving dmcrypt an internal paramter from built-in command line) dmcrypt can work ONLY with major/minor number (=there is no other chance; if "dm-mod.create=" would allow other infos like partuuid or partlabel I would have used it).
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54615
Location: 56N 3W

PostPosted: Wed Jul 06, 2022 9:58 pm    Post subject: Reply with quote

pietinger,

I'm aware. My first brush with dm-mod.create is documented on the Wiki
I was trying to do root in lvm on top of raid5 with no initrd, but the kernel tries to create the device mapper volume before the raid set is started, so that was 'game over'.

Today my main system has a boot entry
Code:
MENU TITLE Syslinux Boot Menu
# 5.18.0-gentoo
LABEL Gentoo with Gentoo 5.18.0
        MENU LABEL Gentoo 5.18.0 Built in amdgpu
        LINUX 5.18.0-gentoo
        APPEND dm-mod.create="nvmestatic-root,,0,rw,0 4194304 linear /dev/nvme0n1p3 2048" root=/dev/dm-0 ro net.ifnames=0 acpi_enforce_resources=no

I can use /dev/nvme0n1p3 because I have a static /dev too.
If I ever grow /dev/mapper/nvmestatic-root, it will get an extra extent.

A part of my problem is that I have a static /dev but the kernel can change minor numbers under it, so the /dev/entries point to the wrong thing.
By using major/minor numbers, you are doing the same as having a static dev.

What happens to me is that occasionally, I make new kernel and find that things have changed, so I have to boot an old kernel to buy time to fix it.

The EFI System Partition is not encrypted, so the key is saved in the kernel in as easily extracted form, for anyone with physical access to the system.
Hu has already pointed this out.

Its an interesting fragile curiosity. That's all.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Thu Jul 07, 2022 12:27 am    Post subject: Reply with quote

NeddySeagoon wrote:
My first brush with dm-mod.create is documented on the Wiki

Neddy, this is a great article ! Thanks for sharing it (I must/want learn more about raid).

NeddySeagoon wrote:
I can use /dev/nvme0n1p3 because I have a static /dev too.

You are using dm-module "linear". Maybe ... this module is loaded after kernel has (read-)access to its root pratition and can use a /dev/xxx description ... but module "crypt" is not able to read root partition (must be loaded before any access to root partition).

NeddySeagoon wrote:
The EFI System Partition is not encrypted, so the key is saved in the kernel in as easily extracted form, for anyone with physical access to the system.
Hu has already pointed this out.

Yes, this is true (and yes, @Hu already pointed this out) IF you put this kernel into a partition on your harddisk ... but ... I already answered: You have to use this kernel residing on an usb stick (I recommended this in my first post). THEN it is more secure than all so-called "full disk encryption"- solutions ... EVEN if you are using TPM2 (because tpm2 can be hacked also: https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/ ) This solution is IMHO the most secure solution for preventing against physical attacks (offline tampering): You have not one unencrypted file on your disk AND the key is seperated from your notebook - in usb stick - and not in a tpm (residing in your notebook).

(this is the reason why I gave up to search for a tpm2 solution).
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54615
Location: 56N 3W

PostPosted: Thu Jul 07, 2022 3:56 pm    Post subject: Reply with quote

pietinger,

"linear" refers to the on disk data layout of the logical volume.
See Early creation of mapped devices

That link calls it "target_type".

By keeping the /boot separate from the encrypted system, security is improved, until they are both lost together. Then it no better than an unencrypted system.

Its still fragile for the reasons I've mentioned, so I don't recommend this solution.
Just like I don't recommend other things that i do :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Thu Jul 07, 2022 6:26 pm    Post subject: Reply with quote

NeddySeagoon wrote:
By keeping the /boot separate from the encrypted system, security is improved, until they are both lost together. Then it no better than an unencrypted system.

YES ! 8) Therefore I recommend (in my german guide) to move away your stick immediately after booting ;-) ... and dont put it in your notebook bag :lol:

(BTW: In my solution /boot is empty; on usb stick is only a (stub-)kernel (with integrated dmcrypt key); no grub or anything else is necessary)
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Thu Jul 07, 2022 7:03 pm    Post subject: Reply with quote

Neddy,

this thread is also - like your article - more a "proof-of-concept". Yes, there is a better solution than FDE (full disk encryption) and I dont recommend FDE in my german guide.

Maybe I should be more detailed in my thinkings about computer security (like I described in my german guide):

You have two kind of threats:
1. Online attack (via network; also via "special" crafted files you get, like mp4,pdf, mails, ...) and
2. Offline tampering (someone installs "evil" software/hardware on/in your computer)

It is obvious that a "full disk encryption" only protects you against offline tampering and NOT against online attacks. So ... what happens if you lose your notebook (or it was stolen) ? Do you ever get back your notebook ? Usually no. If your notebook is gone you have no influence what will be done with it (maybe it will be completly disassembled; who cares) ... your only wish is: It is impossible to read your personal data. So, ask yourself: Do I really need to protect against (2) ?

If NO: To protect your personal data if your notebook is stolen an encrypted /home is quite sufficient. For this solution I recommend "fscrypt".

If YES:

a) If you really think someone will break into your hardware, then you will have no chance against professionals -> "They" install a hidden hardware key logger ... (secrect services do this) ... so please forget it ... there is no security against these kind of threat.

b) If you want protection against not so professionals, there is a better solution than FDE: Use an exchangeable harddisk ! Yes, there exists also exchangeable SSDs ... shutdown your system before going home, and take this SSD home. Then take your exchangeable SSD and put it into your safe (instead an usb stick).


(Personal I dont have any encrypted data on my desktop and my notebook is using "fscrypt"; because I am more afraid with online attacks than offline tampering, and therefore using this solutions: hardened kernel, apparmor, IMA and firewall)
Back to top
View user's profile Send private message
X4DE
n00b
n00b


Joined: 03 Aug 2022
Posts: 2

PostPosted: Wed Aug 03, 2022 9:49 am    Post subject: Reply with quote

Code:

dm-mod.create='enc_gentoo,,,rw,0 420814848 crypt aes-xts-plain64 <key> 0 /dev/sda6 4096' root=/dev/dm-0
                                                                         ----------          ----------



how can I specify the device for **dm-mod.create** with uuids instead of /dev/<block_name> ?
I tried UUID=<uuid> & /dev/disk/by-uuid/<uuid> but no luck

I want to use this for a portable USB installation without initramfs, where grub will trigger the encrypted kernel.
(would also like to know if there's any other way to achieve the same)
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5211
Location: Bavaria

PostPosted: Wed Aug 03, 2022 9:57 am    Post subject: Reply with quote

X4DE,

Welcome to Gentoo Forums !

X4DE wrote:
how can I specify the device for **dm-mod.create** with uuids instead of /dev/<block_name> ?

AFAIK this is not possible because it accepts only major/minor number or /dev/xxxx (I am not sure about this). But if you want try, then try with PARTUUID and NOT with UUID (they are different).
Back to top
View user's profile Send private message
X4DE
n00b
n00b


Joined: 03 Aug 2022
Posts: 2

PostPosted: Wed Aug 03, 2022 10:45 am    Post subject: Reply with quote

pietinger wrote:
X4DE,

Welcome to Gentoo Forums !

X4DE wrote:
how can I specify the device for **dm-mod.create** with uuids instead of /dev/<block_name> ?

AFAIK this is not possible because it accepts only major/minor number or /dev/xxxx (I am not sure about this). But if you want try, then try with PARTUUID and NOT with UUID (they are different).


PARTUUIDs are only for partitions, sadly didn't worked for identifynig the luks partition
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum