Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You encrypt the disk, then you decrypt it when you use it. Why do you want to encrypt the OS?
Secondly, it is almost mandatory to have /home on a separate partition from /. Additionally you could make a separate /tmp as well. You'd encrypt both /home and /tmp and put some "sane" options on those partitions. "nodev" etc. There are many ways to secure /tmp, but it's something else than encryption. Just search the web for how to secure /tmp, there will be many pointers there.
If you worry about things, like /var, you can also add separate partitions for those kind of things. Just think about it, and do it right. Encryption is just one type of protection, but you cannot use any content on an encrypted drive unless you decrypt it first.
Regarding SWAP, either you need it or you do not need it. With modern hardware and RAM amount, you probably do not even need to have a SWAP partition. If you do, there are various ways to do that.
But in the end, I don't think you'll need to encrypt your / (root), unless you have some special needs (evil maid) and refuse to secure your system in other ways.
You should worry about /var. That's where the system and some applications write log files, write cache data, and various other stuff that could potentially contain pieces of your sensitive data or information about it stored in /home.
Many people (me included) hibernate their personal machines. That means data from RAM is written to disk. Again, that data can easily contain sensitive information, and be retrieved.
Encryption is not a one stop shop for security, and neither did I claim it to be. Encrypting disks is of real use when the disk is not being used. When it is unlocked, mounted on a running system the usefulness of hard drive encryption diminishes. That's when other security measures come into play. On a machine that runs 24x7 it may be of limited use. However, on a laptop that is taken to places, and as it risk of being left unattended it's of real use.
OK. So we're interested in encrypting data. Let's put our paranoia hats on and consider this to extremes. We don't encrypt the OS, and we accidentally leave the machine while going for coffee. What's to stop a person replacing aide, chkrootkit, selinux/apparmour configuration with compromised versions and then replace various binaries with modified versions that allow backdoors or shipping your data once the disk is unlocked and mounted?
Of course, with this amount of paranoia /boot should be a removable device that is never left with the machine.
This might be a little extreme, but most distros make this so easy to setup up, and performance impact on modern machines is negligible, to my mind there is no reason not to encrypt it.
OK. So we're interested in encrypting data. Let's put our paranoia hats on and consider this to extremes. We don't encrypt the OS, and we accidentally leave the machine while going for coffee. What's to stop a person replacing aide, chkrootkit, selinux/apparmour configuration with compromised versions and then replace various binaries with modified versions that allow backdoors or shipping your data once the disk is unlocked and mounted?
Bios password? Grub password? Keeping an eye on your computer? Screenlocking password? Root password?
How exactly is someone going to tamper with your root partition? Do you work for the CIA in China? Sure, then you'll need to consider some other things. You work in an important company? You work with confidential data? Then the above should be more then enough to secure your machine.
Worry about cracking/hacking over the internet? How does encryption prevent that when you use the machine? You can't run an OS with encrypted files, they have to be decrypted first.
If you reasonably want to secure your data and perhaps beyond that, you need to separate things and isolate that data on ideally different disks, but more realistically on different partitions.
You seem to focus on /var, and this is reasonable. So how do you secure your /var? By encrypting the OS? Nope.. You need to isolate /var and secure it. Either on a different disk or different partition. Sure, encrypting it is a good idea, but it's not the solution. If you think about it you need to take multiple steps, including securing /tmp and a separate partition with it's own security considerations. /var is NOT the OS, it's a utility area for the OS. If you use SeLinux and have set this up correctly and can manage that, I don't even know why you are posting this thread, you'd be better of combining SeLinux with isolation of things instead of wanting to encrypt the OS.
Sure, you can encrypt the root partition, go ahead, but it's not really that helpful. As you said, it is mostly helpful if you combine it with a separate /boot partition on a USB thumbdrive or something similar.
So, back to your original question. This thread is "encryption of OS, part of it or none", my personal answer is part of it. Isolate those parts and encrypt them, but also take other necessary steps to secure them, because encryption is not some magic solution.
Other topics to look into:
"how to secure /tmp on Linux"
"securing /tmp Linux"
"how to secure /var on Linux"
"securing /var on Linux"
"securing GNU/Linux with SeLinux.
We don't encrypt the OS, and we accidentally leave the machine while going for coffee. What's to stop a person replacing aide, chkrootkit, selinux/apparmour configuration with compromised versions and then replace various binaries with modified versions that allow backdoors or shipping your data once the disk is unlocked and mounted?
Encryption doesn't actually prevent that. You need some kind of signature, and you need to keep the verification key and verifying program with you (otherwise those can be replaced as well).
Encryption doesn't actually prevent that. You need some kind of signature, and you need to keep the verification key and verifying program with you (otherwise those can be replaced as well).
Add to that good routines and passive security like screenlock timer and password, possibly with the combination of hibernation. Alternatively just password on root and terminal timeout. I personally prefer sleep, and I don't know how random persons will tamper with my computer physically if it is locked and in sleep mode and require a password to unlock or login to a getty. I also like the option for when you close your laptop lid, you can send your system directly to sleep or hibernation if you want. That way you have a very easy procedure when you leave your desk. I still think for a timely situation like a workplace, suspend is a better function than hibernation.
If my partition was encrypted or not would make no difference is this scenario at all. For hibernation it might, depending on how you do it, but then again you could secure your hibernated computer in other ways than encryption to prevent tampering.
If both your BIOS/UEFI and GRUB is secured with a password and configured correctly, then the evil maid cannot boot a liveUSB and tamper with an non-encrypted partition either.
Anyhow, I think the CORE to all this is to figure out "what security level is necessary for my situation". That's 1st priority and if you do not answer that first, anything else is just vanity.
Bios password? Grub password? Keeping an eye on your computer? Screenlocking password? Root password?
All these methods are easily circumventable, and it doesn't take a CIA Chinaman to do it.
Quote:
Originally Posted by zeebra
Worry about cracking/hacking over the internet? How does encryption prevent that when you use the machine?
It doesn't. Like I said, the usefulness of encrypting drives is diminished when you are using it. The alternative that has been talked about is encrypting /home. That needs to be unlocked to login too. How are you protecting that from remote attacks?
Quote:
Originally Posted by zeebra
You can't run an OS with encrypted files, they have to be decrypted first.
Agreed. I don't encrypt my drive to protect my information when I'm using it. I encrypt it for when I'm not. The laptop spends far more time turned off and unattended than it does on and in use. The desktop is on 24x7 and isn't encrypted.
Quote:
Originally Posted by zeebra
So, back to your original question. This thread is "encryption of OS, part of it or none", my personal answer is part of it. Isolate those parts and encrypt them, but also take other necessary steps to secure them, because encryption is not some magic solution.
Right. And the original question is encrypting the OS, not hardening the complete system. You are right, and I have already agreed that encryption is not a one stop shop. It has a purpose, and a very useful one, but one that has nothing to do with protecting it when the machine is turned on.
Quote:
Originally Posted by ntubski
Encryption doesn't actually prevent that. You need some kind of signature, and you need to keep the verification key and verifying program with you (otherwise those can be replaced as well).
Only when the machine is turned on. When it's turned off, encryption does a pretty good job of it. I agree encryption of the OS is useless when its running, but so is encrypting /home.
Quote:
Originally Posted by zeebra
You seem to focus on /var.
Because bits of your data you thought were encrypted in /home could end up here, and under your proposal, unencrypted.
We don't encrypt the OS, and we accidentally leave the machine while going for coffee. What's to stop a person replacing aide, chkrootkit, selinux/apparmour configuration with compromised versions and then replace various binaries with modified versions that allow backdoors or shipping your data once the disk is unlocked and mounted?
Encryption doesn't actually prevent that. You need some kind of signature, and you need to keep the verification key and verifying program with you (otherwise those can be replaced as well).
Only when the machine is turned on. When it's turned off, encryption does a pretty good job of it.
However, that tampering is limited pretty much to corruption. You wouldn't be able to (to any practical purpose) replace specific binaries with trojaned ones, or retrieve data, and wikipedia does go on to say you can mitigate that concern by using a filesystem that does data integrity checks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.