Re: [EXT] Re: Questions about encrypting user homes by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Sep 23, 2019 at 10:07 AM Anderson, Charles R. <cra@xxxxxxx> wrote:
>
> On Mon, Sep 23, 2019 at 09:29:42AM -0600, Chris Murphy wrote:
> > > On Mon, Sep 23, 2019 at 4:36 pm, Sheogorath
> > > <sheogorath@xxxxxxxxxxxxxxxxxxx> wrote:
> > > > Doesn't make any sense to me. The reason to get a per-user encryption
> > > > sounds useful in order to reduce the leaking of user data when we have
> > > > multiple users per device. /home only encryption protects whom?
> >
> > It protects the users from 3rd parties. If POSIX permissions are
> > inadequate separation between users (and I agree that it could be),
> > then only encrypting user home directories is also inadequate. There
> > are ample attack vectors that remain to anyone with physical access.
> >
> >
> > > > An attacker with access to the disk can install malware and put it in
> > > > auto start. So there is no real protection here. When we encrypt
> > > > `/home`
> > > > we can encrypt the rest as well.
> >
> > The attacker can just as straightforwardly inject malware into the
> > initramfs. In the present Anaconda full disk encryption model, which
> > the encryption subgroup prefers to avoid for various UI/Ux reasons
> > including limited a11y, i18n functionality, the /boot volume is not
> > encrypted.
>
> How about integrating with OPAL SSD/HDD hardware encryption?  The sedutil tool is in Fedora.  This would encrypt /boot too.

It's a good question.

Quite a lot of consumer SSD hardware these days is actually OPAL 2.0
compliant, with always on encryption happening, it's just that out of
the box it's unlocked so it appears unencrypted all the time (whereas
the encoding on the media is actually ciphertext, including the
bootloader, partition map, etc). And because of this, there's no
performance penalty for this form of cryptographically secure storage.

Problems:
- Keep the SED's DEK or reset it? What's the default? Offer the user a choice?
- Dual boot complication. If you reset the SED's DEK, it means a
complete wipe of the drive, now your next step is to reinstall Windows
or macOS. Before installing Fedora. And then restoring your user home
from backup.
- I'm not certain to what degree Apple hardware can deal with this.
- How common are OPAL 2.0 drives? What percent of users would be left
out? Yes it's possible to have a fallback scenario but that's actually
two projects rather than one project. Resources suggest we get to pick
one project. If the fallback position covers all the use cases, then
that should actually be the primary project, not the fallback, where
SED becomes an option if resources allow.
- I'm pretty sure sedutil requires kernel param libata.allow_tpm=1
which suggests a TPM is a hard requirement?

-- 
Chris Murphy
_______________________________________________
desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora KDE]     [Fedora Announce]     [Fedora Docs]     [Fedora Config]     [PAM]     [Red Hat Development]     [Red Hat 9]     [Gimp]     [Yosemite News]

  Powered by Linux