Dm-Crypt LUKS questions on passwords

Hey guys thanks for entertaining this linux newbie. I am sage on Windows and write it all, but in this forum I am a tadpole at best. LOL!!

OK so I am working on configuring a linux OS as many of you know. Going great. Installed some nice programs and the speed is awesome. I know I am going to have to rebuild but I don't care because its fun. The only time crunch is the one I place upon myself.

Here we go: Because of my needs I MUST have a fully encrypted laptop to carry around with me. I have downloaded the 12.04.3 alternate and have read through the process so I mostly get it. I am torn between Dm with LUKS and the older AES approach. I am leaning towards DM Crypt + LUKS and I will encrypt everything. I plan on placing /boot on a removable but bootable media so the laptop itself will be 100% encrypted while the linux OS is dismounted.

That process is nothing too new since I have done it with TrueCrypt, PGP, and several other WDE products. Again, many years with this stuff on windows.

Passwords: Just to be crystal clear on this if you can report some experiences to me. I create 25-40 character strong passwords and I don't mind keying such when I need to boot the OS. That is what I do with my windows WDE stuff. Using DM-Crypt is it possible to use a long password BUT when the OS asks for root authentication during updates, etc.... can you simply use an Admin user password that would be much shorter? I wouldn't want this shorter password to be available until the OS was mounted with the strong PBA password initially. I hope this question makes some sense.

 

Yes, the LUKS passphrase is just used for decrypting. Once the decrypted partition is mounted, you just need the user password (and root password, if root can login) for everything else.

Using dm-crypt with LUKS, you can't change account password by rebooting, interrupting boot at grub, and mounting as writable. You can't get there after reboot unless you supply the LUKS passphrase.

 

Thanks for the comments.

After a bunch of reading it appears that DM Crypt with LUKS is a more common selection than the traditional AES "other" approach, which is presented in the build. I am very familiar with TrueCrypt and their implementation. My needs are not "critical". Still I figure I may as well configure this machine so that no other person or three letter agency can access my drive without my support (providing password). Have any weaknesses in the implementation of DM Crypt been discussed here or elsewhere that someone is aware of? Any links would be appreciated. I don't mind taking the extra time to build this OS as bullet proof as is possible within reason.

I will be carrying "boot" for the OS on removable media with all else fully encrypted.

 

If you're willing to work at command line, you can specify just exactly how you want your disk encrypted. But you probably know that.

The main "weakness" is the LUKS header, which makes "plausible deniability" (if really plausible) hard.

There's an old thread with PaulyDefran (I think) about wiping and restoring the LUKS header. I've played around, and it seems reliable. But then you might have two flash chips to keep track of, one with /boot and another with the LUKS header. Or you could back up the LUKS header to a folder in /boot.

 

I am not looking to "play up" PD as a security angle. I simply want to make sure that should my laptop be "found"/taken without my consent, there is literally no way in hell the contents will ever be discovered. I spent a few hours today reading through the implementation of this encryption on linux. Its still a little confusing (under the hood) and yet very simple to install. I am the guy that will read for hours and install and re-install something to play with the "knobs and buttons". This is a hobby for me. I really have no reason to do this except that I want to learn it. Windows bores me after so many years. This is new.

Question: What am I gaining by moving /boot to removable media? I know that would prevent /boot from being changed by an adversary, which is one thing. What info resides in boot that could betray me in my efforts to keep the machine's use private and "eyes only"? I might just leave boot on the machine. Still considering all angles. If in theory I lost my removable boot file is it something that would be easy to reproduce? In other words the missing boot file is not really a main security feature its the strong password, which only I know?

 

There's a command in the initramfs that points to the encrypted partition. Even if you've wiped the LUKS header, initramfs will look for it, and then complain to console that it can't find it. So, in order to hide the existence of an encrypted partition, /boot must be removed (stored on removable media or wiped) as well as the LUKS header.

It's not that hard to recreate the /boot partition. At worst, you could back up the encrypted partition using dd, reinstall using the same partitioning etc that you did previously, and then overwrite the new encrypted partition with the old one. But getting to the data doesn't even require that. You can mount the encrypted partition in any Linux machine, decrypt and mount it.

The old post that I mentioned is https://www.wilderssecurity.com/showthread.php?t=327715 at post #15.

 

First let me repeat because I don't think I am being totally clear. I am NOT trying to hide the fact that my laptop is encrypted in any fashion!! I would only remove /boot to improve security and for no other reason. My thinking was that an adversary could not maliciously change my boot by accessing the laptop either while I am online, or by physically editing the boot file in my absence. Physical control of any machine is the first line of defense. I store my machine so that it would be virtually impossible for someone to even touch the laptop without me knowing it happened.

So in the final analysis this works similarly to TrueCrypt. Unless you are going to tamper with the headers (LUKS in this case), removing /boot doesn't really add to security very much (assuming no malicious messing with the loader). The security comes from the strong password and solid algo implementation.

So just for the record and to be sure I don't have a leak in security. What info resides in /boot (since it won't be encrypted) that would create any security risk displaying what my machine's activities has been?

fyi: I am going to start building a few of these machines to experiment with the process and get a better handle on where the weak points may lie.

 

TrueCrypt lovers would disagree, because LUKS-encrypted partitions have headers, but TrueCrypt-encrypted partitions do not. But yes, they're similar.

Yes. As long as you're not trying to hide the encrypted partition, removing /boot doesn't provide deniability.

However, as you note, it may be possible to mess with /boot so as to (for example) save copies of keys, passwords, etc to /boot while the machine is up with the encrypted partition decrypted and mounted.

Unless someone has messed with /boot, or unless you save anything to /boot, it's static, with no record of anything (except kernel updates). Saving anything to /boot obviously requires root rights, so adversaries would need to know your account password. If the screen is locked, they won't be getting that without rebooting, I think, which would then require knowing the LUKS passphrase.

 

mirimir,

I appreciate you walking through this thread with me. This is a bit tougher than I thought. I loaded a few Desktop iso's and they run slick and fast. They offered no encryption though (home only - excluded). I just fired up the 12.04.3 alternate and that was a "shock". I need to read for several more days unless I am going to build a throw away VM as a trial. I don't quite understand the partitioning options as depicted. The alternate is not point and click like the regular desktop iso's are. That's OK but I had to stop and now I'll be reading around. I understand how to set the partitions using the desktop iso's but on the alternate its a bit more confusing. My laptop is fully encrypted via windows stuff and I am wanting to build an ubuntu OS on a dedicated external as my linux machine. Placing the boot on the external I've done before.

I'll be going to look around for some you tubes on encrypting with the alternate.

 

It's really not that bad, once you've done it a few times

This tutorial is a little dated, but nothing essential has changed in the (quite old and well-established) Debian character-based installer: https://www.wilderssecurity.com/showthread.php?t=315680

 

Got it - sort of. The confusing part is the partitioning before starting the install. I am plenty confident on a dedicated external drive because if anything goes wrong I simply blow it away and start over. Did that a few times already.

The encryption went great. I am only using around 45 Gig on a 500 Gig drive to save time with all the re-do's. The rest is unallocated for now. I am using a 20-25 character ubuntu disk password, but only using a very short user/Admin password because I use it so many times while building the system. The short password only works when Ubuntu is mounted. Works nice.

Using terminal and changing my user to root (and back) for installs is easy and safe. When the machine is down its 20 + character security encryption using a secure algo!!

 

Congratulations

I've come to really like dm-crypt and LUKS. It's recommended, by the way, that you backup the LUKS header (somewhere secure, of course). However, I off-and-on use about 20 VMs and hosts encrypted with dm-crypt and LUKS, and I've never had a corrupted header. I've even recovered encrypted partitions from hosts with damaged RAID arrays, and from VMs with hosed /boot virtual HDDs.

 

I will back up my backups. LOL!! I have been reading around for the best way to do that with full linux encryption. My Macrium Pro rescue disk does great sector cloning from RAM. I'll probably use sector by sector since I am only going to use around 50 GB most likely. The other space (outside the Ubuntu system) will be encrypted partitions which will house files used by both linux and windows. I am probably going to use TrueCrypt for the other partitions and then I'll be able to swap the data back and forth easily using Fat32/NTFS for those filesystems. That way my windows OS and Ubuntu can both use those files/folders by mounting them in TrueCrypt. So far it seems to be working OK. Still playing and moving slowly and definitely not risking anything I don't have backed up several times over.

I just downloaded the linux TC tar.gz to install again. For some reason I am having issues installing TC. It goes through all the motions but the icon doesn't show up on my desktop. My user is not always root so I bet that is the issue. I elevate to root in a terminal (sudo -i), enter my Admin password, and then the command to setup TC. I am missing something. I can see all the files getting added but the icon doesn't show up.


What backup program or procedure do you recommend? The backup MUST be encrypted so sector based for only 50 GB seems the easiest, especially with all USB 3 hardware involved. I'll keep a few copies of boot. Do you think Macrium Pro sectoring will work well with Linux? It works flawlessly with my windows TC encryption. Never misses a beat on those.

 

I'm glad that you brought that up.

Backup is discussed in section 6 of <-https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions->. You can either backup the LUKS-encrypted partition, or backup the data from the LUKS-encrypted partition to another encrypted destination. If you backup the LUKS-encrypted partition, the backup will be large because the encrypted data can't be compressed. There are also risks in having multiple copies of the LUKS-encrypted partition, containing variously different data.

One of the FAQ authors concludes:

I use encrypted backup with tar and GnuPG.

I backup LUKS header and key-slot separately.

I don't know.