[opensuse] Encryption in a VM?
I'm about to setup a new virtual box VM. I see VB has the ability to encrypt the VM in full, or I can use LUKS to do it at the openSUSE level. I don't want to do both due to paying double the performance hit. Does anyone know the pros / cons of using VB to encrypt vs LUKS? Can both achieve DOD level security? If I go with LUKS, it will be a first for me. Is there a simple write-up of how to do that via the Yast Installer? Thanks Greg -- Greg Freemyer www.IntelligentAvatar.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/28/2016 11:05 PM, Greg Freemyer wrote:
I'm about to setup a new virtual box VM.
I see VB has the ability to encrypt the VM in full, or I can use LUKS to do it at the openSUSE level.
I don't want to do both due to paying double the performance hit.
Does anyone know the pros / cons of using VB to encrypt vs LUKS?
Can both achieve DOD level security?
If I go with LUKS, it will be a first for me. Is there a simple write-up of how to do that via the Yast Installer?
Thanks Greg -- Greg Freemyer www.IntelligentAvatar.net
Hi Greg, I think one important question is: What are you trying to protect yourself from? (ie. what is the "threat") If you just want to keep the content of the filesystem secret then LUKS will probably be the best way to go since I imagine it has far more documentation as well as being more close to something standardized so it would probably be easier to migrate between vms. IIRC the installer has an easy option to enable LUKS (https://openqa.opensuse.org/tests/217027#step/partitioning_lvm/1) Cant comment on VB as I dont use it. -- Regards, Uzair Shamim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
29.06.2016 06:47, Uzair Shamim пишет:
On 06/28/2016 11:05 PM, Greg Freemyer wrote:
I'm about to setup a new virtual box VM.
I see VB has the ability to encrypt the VM in full, or I can use LUKS to do it at the openSUSE level.
I don't want to do both due to paying double the performance hit.
Does anyone know the pros / cons of using VB to encrypt vs LUKS?
Can both achieve DOD level security?
If I go with LUKS, it will be a first for me. Is there a simple write-up of how to do that via the Yast Installer?
Thanks Greg -- Greg Freemyer www.IntelligentAvatar.net
Hi Greg,
I think one important question is: What are you trying to protect yourself from? (ie. what is the "threat")
If you just want to keep the content of the filesystem secret then LUKS will probably be the best way to go since I imagine it has far more documentation as well as being more close to something standardized so it would probably be easier to migrate between vms. IIRC the installer has an easy option to enable LUKS (https://openqa.opensuse.org/tests/217027#step/partitioning_lvm/1)
This is something relatively new and exists only in TW (may be it will appear in Leap 42.2, do not know). My experience so far was that while full disk encryption using LVM container was possible in installer, exact steps how to convince installer to do it are random and in any case you had to use expert mode for it. Also installer in the past forced unencrypted /boot. Not sure what it does now. ... quick test - it still offers separate /boot partition, but if you delete it in expert mode it does not complain. All this on legacy BIOS system with MBR - one of surprises found during last discussion on this was that installer behaves differently on BIOS/MBR and EFI/GPT.
Cant comment on VB as I dont use it.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wednesday 29 June 2016 07:51:50 Andrei Borzenkov wrote:
[…]
I think one important question is: What are you trying to protect yourself from? (ie. what is the "threat")
If you just want to keep the content of the filesystem secret then LUKS will probably be the best way to go since I imagine it has far more documentation as well as being more close to something standardized so it would probably be easier to migrate between vms. IIRC the installer has an easy option to enable LUKS (https://openqa.opensuse.org/tests/217027#step/partitioning_lvm/1) This is something relatively new and exists only in TW (may be it will appear in Leap 42.2, do not know). My experience so far was that while full disk encryption using LVM container was possible in installer, exact steps how to convince installer to do it are random and in any case you had to use expert mode for it.
Maybe I understand you wrong but I had no problems with Leap 42.1 running all- encrypted cryptlvm scenario. I only observed problems when the harddisk is not clean before installation. It tries to do the right thing and unlock any encrypted volume but it might make unexpected partitioning proposals. Cleaning the disk in before, i.e. removing all partitions showed no problems. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jun 28, 2016 at 11:47 PM, Uzair Shamim <ushamim@linux.com> wrote:
On 06/28/2016 11:05 PM, Greg Freemyer wrote:
I'm about to setup a new virtual box VM.
I see VB has the ability to encrypt the VM in full, or I can use LUKS to do it at the openSUSE level.
I don't want to do both due to paying double the performance hit.
Does anyone know the pros / cons of using VB to encrypt vs LUKS?
Can both achieve DOD level security?
If I go with LUKS, it will be a first for me. Is there a simple write-up of how to do that via the Yast Installer?
Thanks Greg -- Greg Freemyer www.IntelligentAvatar.net
Hi Greg,
I think one important question is: What are you trying to protect yourself from? (ie. what is the "threat")
A very fair question. I guess my concern would equate to industrial espionage, whether that be by a company or state sponsored. (ie. The Chinese military is believed to have a very large and successful industrial espionage effort in place.)
If you just want to keep the content of the filesystem secret then LUKS will probably be the best way to go since I imagine it has far more documentation as well as being more close to something standardized so it would probably be easier to migrate between vms. IIRC the installer has an easy option to enable LUKS (https://openqa.opensuse.org/tests/217027#step/partitioning_lvm/1)
Everyone seems to be recommending LUKS, so I'll give it a shot.
Cant comment on VB as I dont use it.
I'm starting to rethink using VB. My plan at present is: - Use a Windows 7 based laptop to run an openSUSE VM. - Keep my confidential data in the VM The trouble I see now is that Windows 7 isn't exactly known for its security. If it were penetrated, then a key logger could be installed that could capture my password when I type it in. I assume VB / VMware / etc. have no special precautions to keep a key logger from monitoring all user activity? Maybe the safest thing is either to dual boot or get a dedicated laptop for this work. Thanks Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-29 19:51, Greg Freemyer wrote:
The trouble I see now is that Windows 7 isn't exactly known for its security. If it were penetrated, then a key logger could be installed that could capture my password when I type it in.
I'm unsure who handles the keyboard when the guest is active. The host or the guest? Does it change if the guest is in a window compared to full screen?
I assume VB / VMware / etc. have no special precautions to keep a key logger from monitoring all user activity?
I don't think so. Those things are why the web sites of banks, for instance, request passwords via clicking on a keyboard displayed on the screen, even randomizing the keys positions, disabling the real keyboard. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Wed, Jun 29, 2016 at 2:51 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
I assume VB / VMware / etc. have no special precautions to keep a key logger from monitoring all user activity?
I don't think so.
Those things are why the web sites of banks, for instance, request passwords via clicking on a keyboard displayed on the screen, even randomizing the keys positions, disabling the real keyboard.
Can't say I've ever seen that. I do see the "I'm human" etc. boxes. I wondered how that worked, now I know. Greg -- Greg Freemyer www.IntelligentAvatar.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/29/2016 02:51 PM, Carlos E. R. wrote:
On 2016-06-29 19:51, Greg Freemyer wrote:
The trouble I see now is that Windows 7 isn't exactly known for its security. If it were penetrated, then a key logger could be installed that could capture my password when I type it in.
I'm unsure who handles the keyboard when the guest is active. The host or the guest? Does it change if the guest is in a window compared to full screen?
I believe it depends on if you do a full passthrough to the guest or not. For example in virt-manager you can add your physical keyboard to the guest which will make it stop working on the host until you remove it again from the guest (this also applies to usb storage and mouse btw). The only question is if it is secure, which I guess means how much do you trust the host? If the host is compromised at the admin/root level then its probably trivial to sniff the key presses.
I assume VB / VMware / etc. have no special precautions to keep a key logger from monitoring all user activity?
I don't think so.
Those things are why the web sites of banks, for instance, request passwords via clicking on a keyboard displayed on the screen, even randomizing the keys positions, disabling the real keyboard.
Which is quite silly because users will then just choose really terrible, short passwords since they don’t want to go to the trouble of clicking the right keys for a 32 char. password. -- Regards, Uzair Shamim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-29 21:10, Uzair Shamim wrote:
Those things are why the web sites of banks, for instance, request passwords via clicking on a keyboard displayed on the screen, even randomizing the keys positions, disabling the real keyboard.
Which is quite silly because users will then just choose really terrible, short passwords since they don’t want to go to the trouble of clicking the right keys for a 32 char. password.
It is usually done with numerical pins, and these have to pass a check at creation time. Not the login pin, but the one used on operations. Next step will be that those keyboard will randomize the keys on each keypress. Ha! I have to speak out loud as I type carefully. Three mistakes and I'm out, I think. Oh, by the way: some keyloggers are hardware things. Inserted in the cable. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 06/29/2016 03:34 PM, Carlos E. R. wrote:
On 2016-06-29 21:10, Uzair Shamim wrote:
Those things are why the web sites of banks, for instance, request passwords via clicking on a keyboard displayed on the screen, even randomizing the keys positions, disabling the real keyboard.
Which is quite silly because users will then just choose really terrible, short passwords since they don’t want to go to the trouble of clicking the right keys for a 32 char. password.
It is usually done with numerical pins, and these have to pass a check at creation time. Not the login pin, but the one used on operations.
Ah okay, I thought you meant the passwords to login :) The real thing that would help banks is using 2FA but it doesn’t seem like any in my country care about that, they are too busy being stuck in the 90s (https://twofactorauth.org/).
Next step will be that those keyboard will randomize the keys on each keypress.
Ha! I have to speak out loud as I type carefully. Three mistakes and I'm out, I think.
Oh, by the way: some keyloggers are hardware things. Inserted in the cable.
-- Regards, Uzair Shamim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-29 21:41, Uzair Shamim wrote:
On 06/29/2016 03:34 PM, Carlos E. R. wrote:
It is usually done with numerical pins, and these have to pass a check at creation time. Not the login pin, but the one used on operations.
Ah okay, I thought you meant the passwords to login :) The real thing that would help banks is using 2FA but it doesn’t seem like any in my country care about that, they are too busy being stuck in the 90s (https://twofactorauth.org/).
Now that I think, I think I have seen it with that second pass, that you get on the phone via SMS. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 06/30/2016 08:09 AM, Carlos E. R. wrote:
On 2016-06-29 21:41, Uzair Shamim wrote:
On 06/29/2016 03:34 PM, Carlos E. R. wrote:
It is usually done with numerical pins, and these have to pass a check at creation time. Not the login pin, but the one used on operations.
Ah okay, I thought you meant the passwords to login :) The real thing that would help banks is using 2FA but it doesn’t seem like any in my country care about that, they are too busy being stuck in the 90s (https://twofactorauth.org/).
Now that I think, I think I have seen it with that second pass, that you get on the phone via SMS.
Ah but 2FA over SMS is not so great (still better than no 2FA though)! https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication... -- Regards, Uzair Shamim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-07-01 09:08, Uzair Shamim wrote:
On 06/30/2016 08:09 AM, Carlos E. R. wrote:
On 2016-06-29 21:41, Uzair Shamim wrote:
On 06/29/2016 03:34 PM, Carlos E. R. wrote:
It is usually done with numerical pins, and these have to pass a check at creation time. Not the login pin, but the one used on operations.
Ah okay, I thought you meant the passwords to login :) The real thing that would help banks is using 2FA but it doesn’t seem like any in my country care about that, they are too busy being stuck in the 90s (https://twofactorauth.org/).
Now that I think, I think I have seen it with that second pass, that you get on the phone via SMS.
Ah but 2FA over SMS is not so great (still better than no 2FA though)! https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication...
I can't read it. I get a banner: "Here’s The Thing With Ad Blockers" That's is, they use intrusive commercials, I block them, and they retaliate by not displaying the content. So I click on the "book" icon. Yes, of course, if they convince your supplier to change the phone number, you are sold. Huh, hacking into SS7! That's very dangerous. I wondered why they didn't do it before. They need placing "towers", though. Yes, interesting article. I have seen one bank issue the 2FA with an android APP. Now Iknow why. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Wed, Jun 29, 2016 at 3:34 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
Oh, by the way: some keyloggers are hardware things. Inserted in the cable.
Yes, easily found in "spy stores". I've never bought one. I came across one of those in use in the real world a few years ago. Back when PS/2 ports were still the norm. Greg -- Greg Freemyer www.IntelligentAvatar.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-29 21:45, Greg Freemyer wrote:
On Wed, Jun 29, 2016 at 3:34 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
Oh, by the way: some keyloggers are hardware things. Inserted in the cable.
Yes, easily found in "spy stores". I've never bought one.
I came across one of those in use in the real world a few years ago. Back when PS/2 ports were still the norm.
I have seen them in clear view on a school, so that the teacher can see what the students do, and take over. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 06/29/2016 11:51 AM, Carlos E. R. wrote:
I'm unsure who handles the keyboard when the guest is active. The host or the guest? Does it change if the guest is in a window compared to full screen?
I believe its always the host OS that is going to get the keyboard interrupt and read the keyboard buffer, and then pass it to what ever VM has focus. You might be able to contrive a situation where that entire task was handed over to the VM, but that seems dangerous and unworkable, and not how I remember it being handled by any VM software with the possible exception of a bare metal hyper-visor based system. -- After all is said and done, more is said than done.
On 06/29/2016 10:51 AM, Greg Freemyer wrote:
- Use a Windows 7 based laptop to run an openSUSE VM. - Keep my confidential data in the VM
The trouble I see now is that Windows 7 isn't exactly known for its security. If it were penetrated, then a key logger could be installed that could capture my password when I type it in.
Why not precisely the reverse? Run Opensuse as host, and Windows as the VM? You've got another layer of protection, because you can have the host forward only those ports you need forwarded to the more vulnerable VM. VM can reside on a LUKS partition or use its own encryption. You can also expose the VM if needed by simply using Bridged (aliased) network setup (or at lease you can do this in Vmware). By the way, I haven't been able to discern any performance penalty for LUKS. I'm sure there must be some, but it seems unmeasurably small. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Jun 29, 2016 at 3:09 PM, John Andersen <jsamyth@gmail.com> wrote:
On 06/29/2016 10:51 AM, Greg Freemyer wrote:
- Use a Windows 7 based laptop to run an openSUSE VM. - Keep my confidential data in the VM
The trouble I see now is that Windows 7 isn't exactly known for its security. If it were penetrated, then a key logger could be installed that could capture my password when I type it in.
Why not precisely the reverse?
Run Opensuse as host, and Windows as the VM?
You've got another layer of protection, because you can have the host forward only those ports you need forwarded to the more vulnerable VM. VM can reside on a LUKS partition or use its own encryption.
You can also expose the VM if needed by simply using Bridged (aliased) network setup (or at lease you can do this in Vmware).
By the way, I haven't been able to discern any performance penalty for LUKS. I'm sure there must be some, but it seems unmeasurably small.
Great suggestion. Much better than having a dedicated laptop for just this work. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-06-29 21:09, John Andersen wrote:
By the way, I haven't been able to discern any performance penalty for LUKS. I'm sure there must be some, but it seems unmeasurably small.
Easy. Write a big file to the encrypted device, another to the clear device, and time both operations, measuring also the CPU load. Telcontar:~ # time dd if=/dev/zero of=/home1/test count=1000 bs=1M 1000+0 records in 1000+0 records out 1048576000 bytes (1.0 GB) copied, 2.12433 s, 494 MB/s real 0m2.126s user 0m0.004s sys 0m0.777s Telcontar:~ # time dd if=/dev/zero of=/data/cripta/test count=1000 bs=1M 1000+0 records in 1000+0 records out 1048576000 bytes (1.0 GB) copied, 3.14988 s, 333 MB/s real 0m3.151s user 0m0.004s sys 0m0.734s Telcontar:~ # Without cache: Telcontar:~ # time dd if=/dev/zero of=/data/cripta/test count=1000 bs=1M oflag=direct 1000+0 records in 1000+0 records out 1048576000 bytes (1.0 GB) copied, 11.2671 s, 93.1 MB/s real 0m11.863s user 0m0.006s sys 0m0.825s Telcontar:~ # time dd if=/dev/zero of=/home1/test count=1000 bs=1M oflag=direct 1000+0 records in 1000+0 records out 1048576000 bytes (1.0 GB) copied, 6.36797 s, 165 MB/s real 0m6.370s user 0m0.001s sys 0m0.366s Telcontar:~ # Bigger file: Telcontar:~ # time dd if=/dev/zero of=/data/cripta/test count=5000 bs=1M oflag=direct 5000+0 records in 5000+0 records out 5242880000 bytes (5.2 GB) copied, 56.4765 s, 92.8 MB/s real 0m56.478s user 0m0.006s sys 0m1.188s Telcontar:~ # time dd if=/dev/zero of=/home1/test count=5000 bs=1M oflag=direct 5000+0 records in 5000+0 records out 5242880000 bytes (5.2 GB) copied, 30.2719 s, 173 MB/s real 0m30.274s user 0m0.007s sys 0m2.102s Telcontar:~ # Speed is about half. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 06/28/2016 08:05 PM, Greg Freemyer wrote:
I'm about to setup a new virtual box VM.
I see VB has the ability to encrypt the VM in full, or I can use LUKS to do it at the openSUSE level.
I don't want to do both due to paying double the performance hit.
Does anyone know the pros / cons of using VB to encrypt vs LUKS?
Can both achieve DOD level security?
If I go with LUKS, it will be a first for me. Is there a simple write-up of how to do that via the Yast Installer?
Thanks Greg -- Greg Freemyer www.IntelligentAvatar.net
I used LUKS on Opensuse 13.2 for the first time, and I have to say it was quite easy to set up, and so far trouble free. The only problem area was that some portion of the boot up process did not wait long enough for the password, which means you have to be johhny-on-the-spot and ready to type it in upon boot. I filed a bug report, on that and got a couple snotty replies from places on high, (systemd people didn't think it was their problem, opensuse people didn't think it was theirs either). In the end I solved it by adding the timeouts on the fstab entry
/dev/mapper/cr_raid /raid xfs nofail,x-systemd.device-timeout=15 0 2
After the finger pointing was done, I believe there was a fix for that that made the same change automatically. Recommend you use the same password for all encrypted partitions unless you like entering multiple passwords quickly and in rapid succession. It will try the first on on successive partitions to save multiple entries. Recommend you keep an underlying mount point directory in your file system over which the LUKS partition mounts. It can be a dummy directory with dummy files. (or no files ar all). This way, if your machine falls into the wrong hands (someone who does not know the LUKS password), after the time out, it boots up using the dummy and there is nothing (or dummy data) in your Virtual Machines storage directory, but the system otherwise runs fine. I don't use VB, Instead I use Vmware and this works fine. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Andrei Borzenkov -
Carlos E. R. -
Greg Freemyer -
John Andersen -
Oliver Kurz -
Uzair Shamim