Full disk encryption on boot partition
I am wondering if anyone knows of a howto for using Full disk encryption on a ubuntu installation? I want the entire disk to be encrypted even the boot partition.
I have found a wikipedia page on Full disk encryption:
and it states on the page the boot partition encryption is possiable with a password prompt:
"Using a boot-time driver that can ask for a password from the user"
that is what I am trying to achieve, can anyone help.
I haven't read the Wikipedia article, but I would think that if you're getting a password prompt from your disk, then that isn't really full disk encryption. For real full disk encryption the complete disk must be encrypted, which means you'll need to boot from somewhere else (USB flash drive, CD-ROM, etc). There was a good Linux Journal article a couple years ago which IIRC was pretty distro-neutral.
How to install TrueCrypt 5.0 on Ubuntu 7.10 (Gutsy Gibbon)
@internetSurfer: does truecrypt allow fulldisk encryption in the form requested by OP? AFAIK: it doesn't... perhaps you know differently?
... an intreguing discussion of the different encryption tools.
... linux magazine - using dm-crypt and LUKS. loop-AES is good too.
... a rundown on day-to-day encryption.
What I was looking for was a magazine article comparing dmcrypt, loop-aes and true-crypt (with others). Didn't find it.
There are a lot of claims made about encryption tools, it is very hard to sort out the snakeoil.
msramdmp: McGrew Security RAM Dumper
Breaking disk encryption with RAM dumps
Momentus® 5400 FDE.2 Hard Drives
What good does encrypting the /boot partition do?
Why encrypt the static system partitions either?
Diskcryptor is supposed to be an open-source version of drivecrypt... which is all too probably snakeoil. Neither actually do full-disk encryption. Though both claim "system partition" - that seems to exclude /boot on linux and it looks like there is an unencrypted partition left on the windows version too...
Full encryption is tricky because something has to decrypt the disk at boot - I can see an intellegent bios doing this for eg - but that is just an OS in a ROM. You can also boot to a hardened, but unencrypted, OS that does authentication and launches the encrypted one.
Truecrypt advertises a full-disk encryption thing for Windows (dunno about linux) but it seems to use the latter option. You basically get a dos-like welcome screen to authenticate you in... I'd like to see the partition table for that but the salesman wouldn't let me look.
Full-disk encryption is commonly touted as a method of protecting data from someone who gets their hands on your box - like a stolen laptop. Makes a kind of sense in Windows where you typically have one huge partition, and users are unlikely to want to resize anything. It also sounds good from a marketing point of view - who wants anything "partial"?
For a rationale for full-disk encryption, see:
That's it in a nutshell... encrypt the whole disk and you don't need to know much about what the computer does. You can relax - no data can leak out of the playpen. Again - this makes more sense in a windows context, where temporary data can be written anywhere on the disk.
Some people point out that by encrypting the whole disk, you are increasing the size of the job faced by the attacker - though this only works if you prepare the drive by writing random data to all of it. A process that can take a day or so for big drives. Encryption tools usually emphasise how quick and convenient they are.
On balance, keeping the /boot partition on a keydrive is probably more effective... and remember, the more you need to decrypt, the slower the machine.
In the end, you should accept that a motivated attacker will get your data. Consider how much inconvenience you will put up with for how much gain in security. Look to your threat model.
Compusec it is meant to do whole disk encryption and they have a Linux version
It is also free, but I have not tried them so I cant guarantee how good they are,
Steve Gibson mentioned them in one of the latest Security Now, he said they are
pretty good, even though it is closed source encryption.
I find it funny that Truecrypt has a better version for Windows users than Linux users,
I dont know what kind of open source company would do that it puts me off helping them
since I use Linux and dont want windows user to get a better truecrypt than me.
I am quite sure under normal x86 hardware full disk (including /boot) is not a possible solution to encrypt on the same disk.
You could try network booting if the server is in a static location so should the server get stolen the entire disk is encrypted.
Or for those on the move, a USB encrypted keydrive as has already been suggested would provide an effective way to boot the system.
Whole Disk Encryption (WDE) discussion:
... pretty pragmatic, but for Windows.
Schneier's preferred tool, PGP-Disk is pretty silent on how it works. Bruce uses it because he trusts the company, not because it is really WDE.
You need some care - the "whole disk" encryption tools, like compusec et al, use a pre-boot validation... how? Obviously, that part of the system is not encrypted... if it lives on the HDD in question, then that means that the whole disk is not encrypted.
I don't think any of these apps actually repartition the drive, so there should be an encrypted container for the "whole disk" and a plaintext part outside that for "pre-boot apps". The bootloader launches the pre-boot part, which runs validation, decrypts the container, and launches the OS.
If that is not what happens, then the app does something functionally identical -
Linux (dmcrypt et al) does this with the initramfs ... which is why the /boot partition is outside the container. In this case, pre-boot validation can be launched from external media... is this the case with those windows apps?
In effect, WDE has come to be a technical term for "all the disk you'd normally write files to" and not all the actual data on the disk. In windows, this means the system "drive", usually C:/ (alone, in the case of BitLocker WDE - only home and swap with FileVault).
"So why make a song and dance about it?" I hear you ask...
1. If you are not encrypting the whole disk, don't call it WDE. This is logical, if a bit pedantic.
2. We need to recognize ad-speak when we hear it.
3. Helps when comparing commodity/commercial software between different paradigms.
3.a. Linux disk encryption tends to suffer thee complaint that it is not WDE - when, what the complainant is thinking of is not actual WDE either.
3.b. Linux DE is less WDE than some because the main-OS system files are not in the container - but if WDE apps just have their own system files outside the container that they put the main-OS system files into. So this is a bit "six of one and half-a-dozen of the other."
I maintain that you want to keep /boot an an external drive, with the full disk encrypted. I would call that "True WDE" since the entire laptop HDD is encrypted. The plaintext part is on a chain around your neck (or whatever).
This also provides an intreguing plausible deniability...
Official: Is that your laptop?
Off: Excuse me?
You: It's my bosses laptop, he left it at the office and I'm fetching it for him.
Off: Would you switch it on for me please?
You: OK - but it won't go. [demonstrate]
Off: boot the laptop please sir
You: I can't - it is set so it won't boot without the bosses key, which only he has.
Off: I see... I am confiscating this laptop as a national security threat and placing you under arrest as a suspected terrorist, step this way for your cavity search [pulls on rubber glove]
... um... that didn't go the way I expected...
Of course, technically there is nothing stopping you from booting automatically to a familiar WinXP partition if the key ain't there... (This will mean sacrficing 10 or so gig in the name of misdirection - similar to using a false bottom in a breifcase) so long as nobody compares the partition size to the disk size... even so, windows will claim the extra space is unformatted or corrupt.
Look in the Linux Filesystem Hierarchy Standard. The partitions that are marked as static don't need to be encrypted and can be mounted readonly. You can use symbolic links from the encrypted root partition to an unencrypted partition containing the static system directories.
Most Windows systems have a single partition, and a lot of information is in the registry and in C:\Program Files\. So a windows user needs to encrypt everything unless they have C:\Windows\System32 on it's own partition which is doubtful.
Full disk encryption in Linux would just be a Marketing Gimmick. There is absolutely no reason to go though all the hoops necessary due to encrypting the /boot partition. Even in a non-encrypted system, if lvm or most types of raids are used, a normal /boot partition not part of the raid or lvm array is created during installation. Installing a /boot, /swap, and / (root) partition and encrypting the latter would make more sense then encrypting the entire drive.
Sure - WDE in linux would be security theatre. It looks cool, it's conceptually easy, and it's buzzword compliant. Also preserves ignorance.
Does mean that the user needs to realize that static files need not be encrypted - what about people who worry about the /boot partition being unencrypted? They need to know that in the normal course of things, no personal data (or anything) gets written there.
The only attack vector I thought of was the one about someone adding malicious instructions to your boot process then returning your laptop before you know it's gone. Anyone really worried about that can put the /boot partition on external media...
It's probably easier to script - which is why you see it in the installers.
WDE is less relevant to GNU/Linux than AV software.
The point of my wee rant was supposed to be that linux encrypting all but /boot is no less WDE, in practice, than windows using PGP-Disk or whatever.
If your data is so sensitive that you want the "whole disk" encrypted, then it's ridiculous to leave an unencrypted /boot in there IMHO. Not because of any data getting stored there (it can be mounted read-only), but because it's a very real attack vector. For example, someone could clone your hard drive while you are asleep, and put malware in your /boot so that next time you enter your key it will be sent to the attacker. He can then use it to decrypt the cloned image he has - granting him complete access to all your sensitive files. And depending on what else he did (and how effective your IDS is), you might continue to have other parts of your life owned thanks to his rootkit or keylogger or whatever. Having your /boot reside on a USB flash drive (or any other media which you can easily hide/protect physically) seems like the only truly effective way to have whole disk encryption to me.
I was thinking in terms of a lost or stolen drive and not an ongoing attack. Thanks for bringing that up.
|All times are GMT -5. The time now is 03:25 PM.|