[opensuse] Whole disk encryption?
Hi Folks, The IA Overlords are rattling their sabres again and are demanding that Whole Disk Encryption be applied to all systems to protect data while its "resting". Basically, if a system is off, all data on non-volatile memory devices has to be encrypted. A TPM can be used for authentication once power is supplied, or the system could prompt for a password before booting. Would openSuSE, or anything else for that matter, support this kind of a thing? I think TrueCrypt came close, but how would it handle multiple 70-TB partitions? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Wed, 10 Jun 2015 09:24:57 -0700
Lew Wolfgang
Hi Folks,
The IA Overlords are rattling their sabres again and are demanding that Whole Disk Encryption be applied to all systems to protect data while its "resting". Basically, if a system is off, all data on non-volatile memory devices has to be encrypted. A TPM can be used for authentication once power is supplied, or the system could prompt for a password before booting.
Would openSuSE, or anything else for that matter, support this kind of a thing? I think TrueCrypt came close, but how would it handle multiple 70-TB partitions?
Yes, creating LVM on top of encrypted partition should work. Downside is that you will need to enter password at least twice - for bootloader to unlock /boot and kernel to unlock / (even if they are on the same filesystem). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/10/2015 09:51 AM, Andrei Borzenkov wrote:
В Wed, 10 Jun 2015 09:24:57 -0700 Lew Wolfgang
пишет: Hi Folks,
The IA Overlords are rattling their sabres again and are demanding that Whole Disk Encryption be applied to all systems to protect data while its "resting". Basically, if a system is off, all data on non-volatile memory devices has to be encrypted. A TPM can be used for authentication once power is supplied, or the system could prompt for a password before booting.
Would openSuSE, or anything else for that matter, support this kind of a thing? I think TrueCrypt came close, but how would it handle multiple 70-TB partitions?
Yes, creating LVM on top of encrypted partition should work. Downside is that you will need to enter password at least twice - for bootloader to unlock /boot and kernel to unlock / (even if they are on the same filesystem).
Thanks Andrei. Would this work with RAID-6 partitions too? Would there be any way to have a TPM (Trusted Platform Module) provide the passwords? I think this is how Windows does it in some environments. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello. The question with the regulators is always whether or not "Whole Disk Encryption" does also include the MBR and the service partitions. In order to avoid any problem I would put anything required to boot the system on a removable device, to be unplugged when the system is off.(+bios with password, boot only from the external device, etc etc etc) So that "Whole Disk Encryption" is indisputably true with the systems shut-down. And also use only encrypted partitions (with or without LVM) as suggested. Marco Il 10. 06. 15 19:19, Lew Wolfgang ha scritto:
On 06/10/2015 09:51 AM, Andrei Borzenkov wrote:
В Wed, 10 Jun 2015 09:24:57 -0700 Lew Wolfgang
пишет: Hi Folks,
The IA Overlords are rattling their sabres again and are demanding that Whole Disk Encryption be applied to all systems to protect data while its "resting". Basically, if a system is off, all data on non-volatile memory devices has to be encrypted. A TPM can be used for authentication once power is supplied, or the system could prompt for a password before booting.
Would openSuSE, or anything else for that matter, support this kind of a thing? I think TrueCrypt came close, but how would it handle multiple 70-TB partitions?
Yes, creating LVM on top of encrypted partition should work. Downside is that you will need to enter password at least twice - for bootloader to unlock /boot and kernel to unlock / (even if they are on the same filesystem).
Thanks Andrei. Would this work with RAID-6 partitions too?
Would there be any way to have a TPM (Trusted Platform Module) provide the passwords? I think this is how Windows does it in some environments.
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2015-06-10 19:19, Lew Wolfgang wrote:
On 06/10/2015 09:51 AM, Andrei Borzenkov wrote:
Thanks Andrei. Would this work with RAID-6 partitions too?
The raid provides a device, perhaps "/dev/md0". You can encrypt that, using LUKS, which provides a device such as "/dev/mapper/cr_theraid". Well, you mount that. Another possibility, is the "ATA Security Feature Set" - see hdparm(8). To boot such a disk I think you need support from the BIOS, it has to prompt for the password. Nothing is readable, not even the boot code. I don't have any experience with this, and the encryption is up to the disk manufacturer. The advantage is that is very fast. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
В Wed, 10 Jun 2015 10:19:59 -0700
Lew Wolfgang
On 06/10/2015 09:51 AM, Andrei Borzenkov wrote:
В Wed, 10 Jun 2015 09:24:57 -0700 Lew Wolfgang
пишет: Hi Folks,
The IA Overlords are rattling their sabres again and are demanding that Whole Disk Encryption be applied to all systems to protect data while its "resting". Basically, if a system is off, all data on non-volatile memory devices has to be encrypted. A TPM can be used for authentication once power is supplied, or the system could prompt for a password before booting.
Would openSuSE, or anything else for that matter, support this kind of a thing? I think TrueCrypt came close, but how would it handle multiple 70-TB partitions?
Yes, creating LVM on top of encrypted partition should work. Downside is that you will need to enter password at least twice - for bootloader to unlock /boot and kernel to unlock / (even if they are on the same filesystem).
Thanks Andrei. Would this work with RAID-6 partitions too?
Is it hardware RAID6? Linux MD? LVM RAID6? In principle it does not matter - you have underlying device and create encrypted container on top of it. Which exact combination is supported by yast - I do not know (I think encrypted container on top of Linux MD works).
Would there be any way to have a TPM (Trusted Platform Module) provide the passwords? I think this is how Windows does it in some environments.
I am not aware of any integration with LUKS and it will not work with grub2. There was trusted grub project that did it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/10/2015 12:51 PM, Andrei Borzenkov wrote:
Yes, creating LVM on top of encrypted partition should work.
See variously https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system which also covers * LUKS on LVM * LVM on LUKS There really ought to be a encruption option to pvcreate or lvcreate but there isn't. -- I don't know the key to success, but the key to failure is trying to please everybody -- Bill Cosby -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Here is a configuration cheat guide I use for configuring Encrypted
SWAP with a random generated Key at boot. This configuration breaks
suspend to disk so be sure to reconfigure power management if you use
it.
I encrypt everything with LUKS/DMCrypt except /boot and /boot/efi but
I have been looking at encrypting /boot as well with a new method I
found which requires UEFI. I have not tested it yet but I do not think
it is really necessary.
YaST can perform almost all the LUKS/DMCrypt setup except it use to
provide an error when encrypting the root partition which had to be
configured manually.
I just used this on a new Fedora 22 Install and it works well with no
issues. I also made two swap partitions and encrypted both and
configured both to priority 1 to test stripping which also works.
You may want to over right swap three times if you are a secure
sensitive environment with dd instead of just once you can do this by
running the command three times.
It would be nice is there was a configuration option on The openSUSE
installation DVD to do this but currently I do not think there is.
On Wed, Jun 10, 2015 at 12:24 PM, Lew Wolfgang
Hi Folks,
The IA Overlords are rattling their sabres again and are demanding that Whole Disk Encryption be applied to all systems to protect data while its "resting". Basically, if a system is off, all data on non-volatile memory devices has to be encrypted. A TPM can be used for authentication once power is supplied, or the system could prompt for a password before booting.
Would openSuSE, or anything else for that matter, support this kind of a thing? I think TrueCrypt came close, but how would it handle multiple 70-TB partitions?
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-06-11 01:08, Timothy Butterworth wrote:
It would be nice is there was a configuration option on The openSUSE installation DVD to do this but currently I do not think there is.
There is. It is done by encrypting a big chunk of the hard disk, placing and LVM container on it, and inside, all the partitions. root, home, swap. There is an external boot partition, in the clear. And it doesn't break hibernation. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlV4xNoACgkQja8UbcUWM1xv6wEAjCHr10l3TA3nKhUrDEJVYrpX W+TtgDQpBPnHcYu7DPYA/jdPip4oro56I2/bOl0C1bqgh8W/xpSWAP230JNqlXGY =JogF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Jun 10, 2015 at 7:14 PM, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-06-11 01:08, Timothy Butterworth wrote:
It would be nice is there was a configuration option on The openSUSE installation DVD to do this but currently I do not think there is.
There is.
It is done by encrypting a big chunk of the hard disk, placing and LVM container on it, and inside, all the partitions. root, home, swap. There is an external boot partition, in the clear. And it doesn't break hibernation.
- -- Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux)
iF4EAREIAAYFAlV4xNoACgkQja8UbcUWM1xv6wEAjCHr10l3TA3nKhUrDEJVYrpX W+TtgDQpBPnHcYu7DPYA/jdPip4oro56I2/bOl0C1bqgh8W/xpSWAP230JNqlXGY =JogF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Thanks Carlos I do not really use LVM so I probably never noticed it. Does YaST still give the error that prevents encrypting root what it is a standard partition. I have been using Fedora-22 recently and just reloaded all my systems with it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-06-11 01:19, Timothy Butterworth wrote:
On Wed, Jun 10, 2015 at 7:14 PM, Carlos E. R. <> wrote:
Thanks Carlos I do not really use LVM so I probably never noticed it. Does YaST still give the error that prevents encrypting root what it is a standard partition. I have been using Fedora-22 recently and just reloaded all my systems with it.
YaST setups full system encryption the way I described, with LVM. Encrypting via separate root partition is not covered, thus the error. Years ago they analyzed the possibilities, and they did it this way. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlV4yMcACgkQja8UbcUWM1wHUwEAiac1aNiE+LYYjv6YHLjzZ98K IyKVPSFvPpwOarlvH98A/RL8wI4S/467gCZhIF34XTR715i+OjrzVyABongW7gO4 =1dJG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/10/2015 4:14 PM, Carlos E. R. wrote:
It is done by encrypting a big chunk of the hard disk, placing and LVM container on it, and inside, all the partitions. root, home, swap. There is an external boot partition, in the clear. And it doesn't break hibernation.
I thought the OP stated the Pointy Haired Bosses demanded whole disk encryption? Would there not be an avenue of exposure with /boot in the clear? - -- _____________________________________ - ---This space for rent--- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlV4ywEACgkQv7M3G5+2DLJKfwCfUXkmz7skirndx46EMCap52GK QgsAn0uqs5ne84YwJdRCPWcZyOyGfjd4 =IbWt -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-06-11 01:40, John Andersen wrote:
On 6/10/2015 4:14 PM, Carlos E. R. wrote:
It is done by encrypting a big chunk of the hard disk, placing and LVM container on it, and inside, all the partitions. root, home, swap. There is an external boot partition, in the clear. And it doesn't break hibernation.
I thought the OP stated the Pointy Haired Bosses demanded whole disk encryption?
Real whole disk encryption needs to be done in firmware. Any software solution is partial.
Would there not be an avenue of exposure with /boot in the clear?
There will always be some code in the clear, be it a partition, another disk, or bios code. For instance, to have /boot encrypted, something needs to read and decrypt it, meaning grub. But then at least grub itself has to be in the clear. To encrypt also grub, you need the decryption code to be read from somewhere, in the clear: it could be from firmware, bios, another boot disk... A removable boot disk, you say? Well, they are easy to remove by an attacker, which can then clone and study it, even more easily than an internal partition for /boot, and finally replace the media with another one of his design. Like one that simply captures the password. Which is the reasoning for having it in grub+efi, and have efi boot code protection - what, the evil empire to the rescue? Wasn't it a Microsoft complot against free software? LOL, no. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlV4z/gACgkQja8UbcUWM1wOtAD+K9MzRrwy8vQzhXZ8WueZm+xO XkViJF0Nmt99hIDpsVoA/0F/74vq4IH6YVxQ2ok2IQ4PcQ8+k8lf+vF62zdWSFEJ =yUym -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
В Thu, 11 Jun 2015 01:14:34 +0200
"Carlos E. R."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-06-11 01:08, Timothy Butterworth wrote:
It would be nice is there was a configuration option on The openSUSE installation DVD to do this but currently I do not think there is.
There is.
It is done by encrypting a big chunk of the hard disk, placing and LVM container on it, and inside, all the partitions. root, home, swap. There is an external boot partition, in the clear.
It also works with /boot on encrypted filesystem (except in case of EFI secure boot, but it could be fixed by manually editing grub.cfg generated by shim install script). -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlV5C/UACgkQR6LMutpd94z6mACfS5RWn4vUZjX2VeEbpuQRe7RY cLQAn35GmqoE9ISr8TYJBbgKU14Sl/+0 =Wpgr -----END PGP SIGNATURE----- N�����r��y隊Z)z{.�ﮞ˛���m�)z{.��+�:�{Zr�az�'z��j)h���Ǿ� ޮ�^�ˬz��
participants (7)
-
Andrei Borzenkov
-
Anton Aylward
-
Carlos E. R.
-
John Andersen
-
Lew Wolfgang
-
Marco
-
Timothy Butterworth