Full Disk Encryption

New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
Post Reply
ashkenazi
White ninja
White ninja
Posts: 16
Joined: 27 Jan 2015, 08:40
Distribution: Porteus, BSD
Location: Backstage

Full Disk Encryption

Post#1 by ashkenazi » 01 Feb 2015, 18:12

It would be nice if there was an option to enable full disk encryption when installing Porteus to a hard drive. It's good for corporate users who carry around their laptops with sensitive data.

There's a tutorial on how to do it manually here:
ftp://ftp.slackware.com/pub/slackware/s ... _CRYPT.TXT

User avatar
fanthom
Site Admin
Site Admin
Posts: 4625
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Full Disk Encryption

Post#2 by fanthom » 02 Feb 2015, 23:22

it was mentioned couple of times on the forum before:
there is no benefit of full disk encryption. it makes the system only slower as modules must be decypted first then decompressed.

please encrypt your changes in save.dat (we have a GUI for this) and you are safe.
Please add [Solved] to your thread title if the solution was found.

ashkenazi
White ninja
White ninja
Posts: 16
Joined: 27 Jan 2015, 08:40
Distribution: Porteus, BSD
Location: Backstage

Re: Full Disk Encryption

Post#3 by ashkenazi » 03 Feb 2015, 10:02

Somebody could tamper with the kernel module and insert malicious code in it if the whole drive is not encrypted. Then it does not matter if a portion of the system is encrypted (the save.dat method), because upon decrypting, the malicious code could activate and the attacker would have access to the data.

squarefractal
White ninja
White ninja
Posts: 5
Joined: 02 Feb 2015, 13:08
Distribution: -----
Location: -----

Re: Full Disk Encryption

Post#4 by squarefractal » 03 Feb 2015, 17:19

You could simply use a read-only media like a CD to achieve this, even. Of course the safekeeping of the CD is your job, in that case though.

(You can then simply write a script that asks for the root password once and loads all your required modules.)

User avatar
fanthom
Site Admin
Site Admin
Posts: 4625
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Full Disk Encryption

Post#5 by fanthom » 04 Feb 2015, 16:21

@ashkenazi
modified kernel still wont be able to decrypt your save.dat

unless you mean that someone will get an access to you usb -> modify kernel in it -> give the stick back to you -> you'll keep using it as normal (providing password every boot)
this is possible but rather extreme rare scenario.

low benefit and lot of work - i wont be implementing this myself.
Please add [Solved] to your thread title if the solution was found.

tome
Contributor
Contributor
Posts: 577
Joined: 26 Jun 2013, 14:03
Distribution: x64 Openbox
Location: Poland
Contact:

Re: Full Disk Encryption

Post#6 by tome » 04 Feb 2015, 18:19

But you can check that you are not "infected" - for example script in changes that would check md5sums of activated modules, vmlinuz and initrd.xz.

KnallKopf
Samurai
Samurai
Posts: 134
Joined: 18 Sep 2012, 20:56
Distribution: Porteus 64bit KDE4
Location: Absurdistan

Re: Full Disk Encryption

Post#7 by KnallKopf » 07 Mar 2015, 14:45

to this problem, I just work
i have written a new cheatcode called "encr"

description:

encr=[S:]path1;path2;pathN

... Decrypt and mount filecontainer or partitions in the order path1 path2 pathN
The password will be saved in a variable and trying to use again.

If it was a decrypted changes container was used. It will trying to use the password from them.

The files will mount to /mnt/mapper/$FILENAME this path is after booting: /mnt/live/mnt/mapper/$FILENAME
If the path begun with /dev or /mnt they will not be changed but other like /porteus/* will changed.
The script setting the livecd path at the beginning, ex: /porteus/file.dat > /mnt/sr0/porteus/file.dat


The "S:" is for developing it save the password to [/mnt/live]/var/log/encr/.encrpw
It is dangerous to use them and should not be used.

example:
encr=/dev/sda3;/porteus/emod.luk;/porteus/matr1.luk;/mnt/mapper/matr1.luk/matr2.luk;/mnt/mapper/matr2.luk/matr3.luk
will mount in folling order:
/dev/sda3 > [/mnt/live]/mnt/mapper/sda3
/mnt/sr0/porteus/emod.luk > [/mnt/live]/mnt/mapper/emod.luk
/mnt/sr0/porteus/matr1.luk > [/mnt/live]/mnt/mapper/matr1.luk
/mnt/mapper/matr1.luk/matr2.luk > [/mnt/live]/mnt/mapper/matr2.luk
/mnt/mapper/matr2.luk/matr3.luk > [/mnt/live]/mnt/mapper/matr3.luk
if matr2.luk container have a other password like container (or partitions) before you will ask again
and the same password is used for matr3.luk

here the first draft for 64bit

it rebuild the cryptsetup
see crsetup_src/source/readme.txt

note:
If everyone use disk encryption use the "noswap" cheatcode to prevent that the password will public.
use only in conjuction:
with "noswap"
without "changes=.."
or only "changes=.. changes-ro"

KnallKopf
Samurai
Samurai
Posts: 134
Joined: 18 Sep 2012, 20:56
Distribution: Porteus 64bit KDE4
Location: Absurdistan

Re: Full Disk Encryption

Post#8 by KnallKopf » 07 Mar 2015, 15:30

but i have a question:

this cheatcode saving the password in a variable and put them to cryptsetup like:

Code: Select all

cryptsetup ... << EOF
${PASSWORD}
EOF
How dangerous is it ?
better use this cheadcode only in freshmode
I have no idea if the password show up somewhere in the system.

KnallKopf
Samurai
Samurai
Posts: 134
Joined: 18 Sep 2012, 20:56
Distribution: Porteus 64bit KDE4
Location: Absurdistan

Re: Full Disk Encryption

Post#9 by KnallKopf » 29 Mar 2015, 23:54

I have littlebit changing the cheatcode.
Now it supports plainmode, luks, truecrypt and veracrypt (experimental).
It seems to work fine (on 32 and 64bit), but it is not much tested, also be carefull.
The source and ready modules (not a ready CD, use ./source/initrd/mkcd.sh to build them) are here: crsetup_src3.tar.xz (md5 = 7077886e05beb90f7fc629ff44225ac3)
The full description are in the readme.txt included in the archive.

KnallKopf
Samurai
Samurai
Posts: 134
Joined: 18 Sep 2012, 20:56
Distribution: Porteus 64bit KDE4
Location: Absurdistan

Re: Full Disk Encryption

Post#10 by KnallKopf » 17 Aug 2015, 23:48

The compiling of crsetup_src3 fails (updated signature files)
for this reason i have move some signatur files.
here are the update: crsetup_src4.tar.xz
md5sum: 3d7aa1cbd000d74900947b635d9510b2

Post Reply