On Wed, Dec 22, 2010 at 12:40:33PM +0000, Tom wrote: > Thanks for your answer! Now I understand a bit more but have even more > questions... > > > That is redundant. Just use the passphrase and do wthout the > > USB key. Also, why would you want to store a key-file in an MBR? > > That does not make sense. > > > Forget hiding anything. It is just not effective against > > any halfway competent attacker. And, as I said, forget about the > > keyfile. LUKS already has an encrypted master-key in the header. > > Your protection is the passphrase. > > > I want to use usb key and a key file to automate decryption process, in > a way. With this set-up I wont have to enter long and complicated > passphrase on each boot, key file will be automatically read from the > usb. Even with this set-up, the level of security you get is that of your passphrase. The "long and complicated" passphrase is necessary. However it is not that bad, see the FAQ, item on Entropy in passphrases. > Storing it in MBR is not essential, but it will provide additional > protection layer - "security through obscurity". Basically wothless against an attacker that has enough understanding of the subject matter to try attacking your set-up. The risk of damaging you data is greater than any potential security gain. > I do agree with you, > that it is useless against competent attacker. And will create even more > problems, Grub can overwrite key file or the other way around - making > system unbootable / impossible to decrypt. I just want to try and see if > I can pull it off and learn in the process of doing so. But, as I said, > MBR thing is not essential and I will be happy with plaintext key file > on usb. Ok. > > I don't think so. More correct would be that you cannot suspend > > to disk without re-entring your passphrase on un-suspend. > > That could be diffilult, and would be impossible with full > > disk encryption. On the other hand, full-disk encrypton > > is already impossible without BIOS support, you alwqays have > > at least the kernel an some tools unencrypted. > > > > Sounds to me some people were suspending to non-tnectypted > > disk here. However, suspend and hibernate is not something > > you usually do on a UNIX-like system. Maybe just do without > > it? I never found a any need to do it ever and it is a security > > risk. > > > Regular encryption and wipe the key from memory at the end of > > the suspend operaton. Sounds like a lot of effort for very little > > gain. > > > Information about swap leaking key file I found on Arch Linux wiki: > > https://wiki.archlinux.org/index.php/Talk:System_Encryption_with_LUKS_for_dm-crypt#Suspend_to_disk_instructions_are_insecure Ah, yes. THis stores the swap encryption key on disk unencrypted. That is an entirely separate issue and obviously insecure. > There was another web site as well mentioning this issue but I'm unable > to find it now. Suspend and hibernate are not things I can't live > without but if there is a option to have them enabled (in a secure > matter) I would like to try to. It's just the case of having the choice > to suspend against no choice whatsoever. Basically you need a set-up that asks the passphrase for everything again on un-suspend. If you just pit your swap through LUKS as well, with the master passphrase, then this is not a problem (but you may have difficulties to wake the machine up ;-) > > > 3. I'm looking into possibility of having boot partition on external usb > > > key and the whole HDD would be encrypted. > > > > What would be the benefit? > > > > Now, I'm not sure if its > > > possible at all and if yes, if its not beyond my current knowledge. > > > > If the USB is bootable on your cmputer, then it is rather simple. > > > > But > > > assuming (for now) that I can boot the system from usb key, will it work > > > with LUKS/dm-crypt? > > > > Yes. You need an unencrypted initrd on the key though. > > Again it's just proof of concept. It's not essential for security of my > data (I'm archaeologist so I don't deal with very sensitive data), I > just want to try if it's possible and if I'm able to figure out how to > do it. I couldn't find any informations about having a whole boot > partition on external usb with main HDD encrypted, so if I will manage > to do that I can contribute to overall knowledge. Ah. A few words about the Linux boot process then: 1. Kernel is loaded into RAM by _whatebver_ means 2. Kernel gets commandline patched in by _whatever_ means. 3. Control of machine is given to kernel by _whatever_ means. So. The _whatever_ here is typically a boot-loader like Grub, syslinux or loadlin. That is the thing you have to put on the USB storage and get to start from there. Second complication is that the kernel cannot access the root partition bevore decryption is set up, so the initrd will be its root. It basically (not quite, but enough to undertstand this) gets just put into memory besides the kernel, by _whatever_ means. After the kernel has control, id couldn't care less how it got into memory or was given control. There is a really clean cut here. You can, for example, get the decryption, initrd and kernel commandline figured out from HDD, and then copy the two files (initrd, kernel) to USB and get them loaded with GRUB with the same kernel commandline but GRUB installed on the USB device. The kernel does not care at all. > > > And that will be all, I think. Thanks everyone for your time and > > > patience! > > > > No problem. > > > > Also, *read the FAQ*, especially the section about backup > > and recovery from overwtitten LUKS headers. > > Thanks again! I did my backups already - on external HDD and dvd's (OK, > I'm a little bit paranoid!). As you confirmed that having boot on > external usb is possible (yes, my BIOS is supporting booting from usb) > now I have to look into that. Have fun! Certainly a good way to understand these things better. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
