Authenticated boot and disk encryption on Linux

Click for: original source

Linux has been supporting Full Disk Encryption (FDE) and technologies such as UEFI SecureBoot and TPMs for a long time. However, the way they are set up by most distributions is not as secure as they should be, and in some ways quite frankly weird. In fact, right now, your data is probably more secure if stored on current ChromeOS, Android, Windows or MacOS devices, than it is on typical Linux distributions. By Pid Eins.

The article content covers:

  • The strange state of authenticated boot and disk encryption on generic Linux distributions
  • The basic technologies
    • LUKS/dm-crypt/cryptsetup
    • UEFI SecureBoot
    • TPMs
  • How Linux distributions use these technologies
  • Attack scenarios
  • Are we safe?
  • Can we do better?
  • In detail

The most basic attack scenario to focus on is probably that you want to be reasonably sure that if someone steals your laptop that contains all your data then this data remains confidential. Because distributions set up disk encryption the way they do, and only bind it to a user password, an attacker can easily duplicate the disk, and then attempt to brute force your password.

Article also points reader in the direction how we can do full disk encryption better on general Linux distro. Every single component of the boot process and OS needs to be authenticated, i.e. all of shim (done), boot loader (done), kernel (done), initrd (missing so far), OS binary resources (missing so far), OS configuration and state (missing so far), the user’s home (missing so far). Very interesting read.

[Read More]

Tags linux software how-to infosec