It would be nice if there was an option to enable full disk encryption when installing Porteus to a hard drive. It's good for corporate users who carry around their laptops with sensitive data.
There's a tutorial on how to do it manually here:
ftp://ftp.slackware.com/pub/slackware/s ... _CRYPT.TXT
Full Disk Encryption
New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
ashkenazi
-
fanthom
- Moderator Team
- Posts: 5667
- Joined: 28 Dec 2010, 02:42
- Distribution: Porteus Kiosk
- Location: Poland
- Contact:
Re: Full Disk Encryption
Post#2 by fanthom » 02 Feb 2015, 23:22
it was mentioned couple of times on the forum before:
there is no benefit of full disk encryption. it makes the system only slower as modules must be decypted first then decompressed.
please encrypt your changes in save.dat (we have a GUI for this) and you are safe.
there is no benefit of full disk encryption. it makes the system only slower as modules must be decypted first then decompressed.
please encrypt your changes in save.dat (we have a GUI for this) and you are safe.
Please add [Solved] to your thread title if the solution was found.
fanthom
-
ashkenazi
- White ninja
- Posts: 16
- Joined: 27 Jan 2015, 08:40
- Distribution: Porteus, BSD
- Location: Backstage
Re: Full Disk Encryption
Post#3 by ashkenazi » 03 Feb 2015, 10:02
Somebody could tamper with the kernel module and insert malicious code in it if the whole drive is not encrypted. Then it does not matter if a portion of the system is encrypted (the save.dat method), because upon decrypting, the malicious code could activate and the attacker would have access to the data.
ashkenazi
-
squarefractal
- White ninja
- Posts: 5
- Joined: 02 Feb 2015, 13:08
- Distribution: -----
- Location: -----
Re: Full Disk Encryption
Post#4 by squarefractal » 03 Feb 2015, 17:19
You could simply use a read-only media like a CD to achieve this, even. Of course the safekeeping of the CD is your job, in that case though.
(You can then simply write a script that asks for the root password once and loads all your required modules.)
(You can then simply write a script that asks for the root password once and loads all your required modules.)
squarefractal
-
fanthom
- Moderator Team
- Posts: 5667
- Joined: 28 Dec 2010, 02:42
- Distribution: Porteus Kiosk
- Location: Poland
- Contact:
Re: Full Disk Encryption
Post#5 by fanthom » 04 Feb 2015, 16:21
@ashkenazi
modified kernel still wont be able to decrypt your save.dat
unless you mean that someone will get an access to you usb -> modify kernel in it -> give the stick back to you -> you'll keep using it as normal (providing password every boot)
this is possible but rather extreme rare scenario.
low benefit and lot of work - i wont be implementing this myself.
modified kernel still wont be able to decrypt your save.dat
unless you mean that someone will get an access to you usb -> modify kernel in it -> give the stick back to you -> you'll keep using it as normal (providing password every boot)
this is possible but rather extreme rare scenario.
low benefit and lot of work - i wont be implementing this myself.
Please add [Solved] to your thread title if the solution was found.
fanthom
-
tome
- Contributor
- Posts: 686
- Joined: 26 Jun 2013, 14:03
- Distribution: x64 Openbox
- Location: Russia is causing the immense damage to humanity
- Contact:
Re: Full Disk Encryption
Post#6 by tome » 04 Feb 2015, 18:19
But you can check that you are not "infected" - for example script in changes that would check md5sums of activated modules, vmlinuz and initrd.xz.
tome
-
KnallKopf
- Samurai
- Posts: 134
- Joined: 18 Sep 2012, 20:56
- Distribution: Porteus 64bit KDE4
- Location: Absurdistan
Re: Full Disk Encryption
Post#7 by KnallKopf » 07 Mar 2015, 14:45
to this problem, I just work
i have written a new cheatcode called "encr"
description:
encr=[S:]path1;path2;pathN
... Decrypt and mount filecontainer or partitions in the order path1 path2 pathN
The password will be saved in a variable and trying to use again.
If it was a decrypted changes container was used. It will trying to use the password from them.
The files will mount to /mnt/mapper/$FILENAME this path is after booting: /mnt/live/mnt/mapper/$FILENAME
If the path begun with /dev or /mnt they will not be changed but other like /porteus/* will changed.
The script setting the livecd path at the beginning, ex: /porteus/file.dat > /mnt/sr0/porteus/file.dat
The "S:" is for developing it save the password to [/mnt/live]/var/log/encr/.encrpw
It is dangerous to use them and should not be used.
example:
encr=/dev/sda3;/porteus/emod.luk;/porteus/matr1.luk;/mnt/mapper/matr1.luk/matr2.luk;/mnt/mapper/matr2.luk/matr3.luk
will mount in folling order:
/dev/sda3 > [/mnt/live]/mnt/mapper/sda3
/mnt/sr0/porteus/emod.luk > [/mnt/live]/mnt/mapper/emod.luk
/mnt/sr0/porteus/matr1.luk > [/mnt/live]/mnt/mapper/matr1.luk
/mnt/mapper/matr1.luk/matr2.luk > [/mnt/live]/mnt/mapper/matr2.luk
/mnt/mapper/matr2.luk/matr3.luk > [/mnt/live]/mnt/mapper/matr3.luk
if matr2.luk container have a other password like container (or partitions) before you will ask again
and the same password is used for matr3.luk
here the first draft for 64bit
it rebuild the cryptsetup
see crsetup_src/source/readme.txt
note:
If everyone use disk encryption use the "noswap" cheatcode to prevent that the password will public.
use only in conjuction:
with "noswap"
without "changes=.."
or only "changes=.. changes-ro"
i have written a new cheatcode called "encr"
description:
encr=[S:]path1;path2;pathN
... Decrypt and mount filecontainer or partitions in the order path1 path2 pathN
The password will be saved in a variable and trying to use again.
If it was a decrypted changes container was used. It will trying to use the password from them.
The files will mount to /mnt/mapper/$FILENAME this path is after booting: /mnt/live/mnt/mapper/$FILENAME
If the path begun with /dev or /mnt they will not be changed but other like /porteus/* will changed.
The script setting the livecd path at the beginning, ex: /porteus/file.dat > /mnt/sr0/porteus/file.dat
The "S:" is for developing it save the password to [/mnt/live]/var/log/encr/.encrpw
It is dangerous to use them and should not be used.
example:
encr=/dev/sda3;/porteus/emod.luk;/porteus/matr1.luk;/mnt/mapper/matr1.luk/matr2.luk;/mnt/mapper/matr2.luk/matr3.luk
will mount in folling order:
/dev/sda3 > [/mnt/live]/mnt/mapper/sda3
/mnt/sr0/porteus/emod.luk > [/mnt/live]/mnt/mapper/emod.luk
/mnt/sr0/porteus/matr1.luk > [/mnt/live]/mnt/mapper/matr1.luk
/mnt/mapper/matr1.luk/matr2.luk > [/mnt/live]/mnt/mapper/matr2.luk
/mnt/mapper/matr2.luk/matr3.luk > [/mnt/live]/mnt/mapper/matr3.luk
if matr2.luk container have a other password like container (or partitions) before you will ask again
and the same password is used for matr3.luk
here the first draft for 64bit
it rebuild the cryptsetup
see crsetup_src/source/readme.txt
note:
If everyone use disk encryption use the "noswap" cheatcode to prevent that the password will public.
use only in conjuction:
with "noswap"
without "changes=.."
or only "changes=.. changes-ro"
KnallKopf
-
KnallKopf
- Samurai
- Posts: 134
- Joined: 18 Sep 2012, 20:56
- Distribution: Porteus 64bit KDE4
- Location: Absurdistan
Re: Full Disk Encryption
Post#8 by KnallKopf » 07 Mar 2015, 15:30
but i have a question:
this cheatcode saving the password in a variable and put them to cryptsetup like:
How dangerous is it ?
better use this cheadcode only in freshmode
I have no idea if the password show up somewhere in the system.
this cheatcode saving the password in a variable and put them to cryptsetup like:
Code: Select all
cryptsetup ... << EOF
${PASSWORD}
EOFbetter use this cheadcode only in freshmode
I have no idea if the password show up somewhere in the system.
KnallKopf
-
KnallKopf
- Samurai
- Posts: 134
- Joined: 18 Sep 2012, 20:56
- Distribution: Porteus 64bit KDE4
- Location: Absurdistan
Re: Full Disk Encryption
Post#9 by KnallKopf » 29 Mar 2015, 23:54
I have littlebit changing the cheatcode.
Now it supports plainmode, luks, truecrypt and veracrypt (experimental).
It seems to work fine (on 32 and 64bit), but it is not much tested, also be carefull.
The source and ready modules (not a ready CD, use ./source/initrd/mkcd.sh to build them) are here: crsetup_src3.tar.xz (md5 = 7077886e05beb90f7fc629ff44225ac3)
The full description are in the readme.txt included in the archive.
Now it supports plainmode, luks, truecrypt and veracrypt (experimental).
It seems to work fine (on 32 and 64bit), but it is not much tested, also be carefull.
The source and ready modules (not a ready CD, use ./source/initrd/mkcd.sh to build them) are here: crsetup_src3.tar.xz (md5 = 7077886e05beb90f7fc629ff44225ac3)
The full description are in the readme.txt included in the archive.
KnallKopf
-
KnallKopf
- Samurai
- Posts: 134
- Joined: 18 Sep 2012, 20:56
- Distribution: Porteus 64bit KDE4
- Location: Absurdistan
Re: Full Disk Encryption
Post#10 by KnallKopf » 17 Aug 2015, 23:48
The compiling of crsetup_src3 fails (updated signature files)
for this reason i have move some signatur files.
here are the update: crsetup_src4.tar.xz
md5sum: 3d7aa1cbd000d74900947b635d9510b2
for this reason i have move some signatur files.
here are the update: crsetup_src4.tar.xz
md5sum: 3d7aa1cbd000d74900947b635d9510b2
KnallKopf
