LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 11-11-2011, 03:14 PM   #1
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + Xmonad
Posts: 269

Rep: Reputation: 63
Boot encrypted LVM with USB flash drive?


Slackware 13.37, default kernel, 32bit.

/sda1 = /boot
/sda2 = LVM with luks (cryptvg-root, cryptvg-home, cryptvg-swap)

My goal is to require a USB flash stick to boot the OS,
thus eliminating the use of unencrypted boot files on the hard drive.
**I Do Not wish to include the luks key file for "passwordless booting"**.
I've read that it's possible to copy /boot to a USB stick and install
LILO to it.
Would something like this work?:

1. simply copy /boot to the root of /dev/sdb1 (ext4 formatted USB stick).
2. unmount /boot (/dev/sda1), and remount /boot (as /dev/sdb1)
3. alter lilo.conf such that it 'installs' to /dev/sdb1
3. change /dev/sda1 to /dev/sdb1 in /etc/fstab?
4. run LILO
5. umount /dev/sdb1; remove USB stick
6. remount /boot on /dev/sda1
7. run LILO again to restore boot-ability to /dev/sda1 in case my USB
stick fails to boot the system.

I have already had to break into my LVM once after having borked LILO, so
I'd like this to go as smoothly as possible. If anyone can help me sort
these pieces into a logical procession that is highly likely to work,
that'd be awesome!

It's hard to believe I couldn't find a tutorial for this after
5 days of earnest searching but it's true!
Thanks for any clues!
 
Old 11-11-2011, 07:00 PM   #2
saivnoba
Member
 
Registered: Aug 2010
Distribution: Debian Sid, openSUSE, Gentoo, Slackware64
Posts: 68

Rep: Reputation: 2
I believe you can boot from Slackware CD/DVD, mount your slackware installation (on /mnt) and choose option in 'setup' to create a bootup disk.
 
Old 11-11-2011, 10:50 PM   #3
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + Xmonad
Posts: 269

Original Poster
Rep: Reputation: 63
Quote:
Originally Posted by saivnoba View Post
I believe you can boot from Slackware CD/DVD, mount your slackware installation (on /mnt) and choose option in 'setup' to create a bootup disk.
Yes, but this only creates a bootstrap which uses the un-encrypted /boot partition to load the initrd.
The kernel, etc remains on the hard drive unencrypted. I want /boot on the USB stick.
 
Old 11-15-2011, 11:13 PM   #4
ChickTower
LQ Newbie
 
Registered: May 2011
Location: Michigan
Distribution: Slackware
Posts: 18

Rep: Reputation: 11
Quote:
Originally Posted by STDOUBT View Post
Slackware 13.37, default kernel, 32bit.

/sda1 = /boot
/sda2 = LVM with luks (cryptvg-root, cryptvg-home, cryptvg-swap)

My goal is to require a USB flash stick to boot the OS,
thus eliminating the use of unencrypted boot files on the hard drive.
**I Do Not wish to include the luks key file for "passwordless booting"**.
...
It's hard to believe I couldn't find a tutorial for this after
5 days of earnest searching but it's true!
Thanks for any clues!
Does this old article help you out?

http://www.linuxjournal.com/article/7743
 
Old 11-16-2011, 12:53 AM   #5
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + Xmonad
Posts: 269

Original Poster
Rep: Reputation: 63
ChickTower,
Thanks for your reply, it looks like that article might give me some ideas, but I was really hoping to find something Slackware-specific, or at least a clear way to simply move /boot to a USB stick and have it work. I can't be the first one who wants to do this.
Disk encryption with an UNencrypted /boot partition is a gaping security hole. That's why I want to move /boot to something I can carry with me at all times.
If I ever come up with a solution, I'll be back to post it.
 
Old 11-16-2011, 01:41 AM   #6
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,291

Rep: Reputation: 708Reputation: 708Reputation: 708Reputation: 708Reputation: 708Reputation: 708Reputation: 708
Quote:
Originally Posted by STDOUBT View Post
ChickTower,
Thanks for your reply, it looks like that article might give me some ideas, but I was really hoping to find something Slackware-specific, or at least a clear way to simply move /boot to a USB stick and have it work. I can't be the first one who wants to do this.
Disk encryption with an UNencrypted /boot partition is a gaping security hole. That's why I want to move /boot to something I can carry with me at all times.
If I ever come up with a solution, I'll be back to post it.
How is having an unencrypted /boot a security hole? I suppose someone could mount /boot as rw and setup a new initrd that logs keystrokes when the password is entered or copies the keyfile if one is used, but beyond that having an unencrypted /boot doesn't allow anyone to more easily decrypt the LVM (and the same thing could be accomplished by using a hardware keylogger that might go unnoticed). There is certainly no information contained in /boot that would compromise the security of LUKS encryption...anything required to decrypt and mount the system is determined dynamically at boot time by the init script. Information leakage includes the kernels (vmlinuz, config, System.map, modules in the initrd only), the LUKS device (which could be determined anyway), the root device and resume device if set (this is no help in decrypting the partition, and if the partition *is* decrypted then you get this information anyway so its knowledge isn't dangerous).

If you are paranoid about the possibility of a keylogger being hacked into the initrd or something like that, then you'd better be careful about the MBR, too, which could be modified to boot another device or partition without your knowledge, and you should thoroughly check your hardware every time you boot up to make sure it wasn't tampered with (maybe install a security camera and review the footage every day, since some hardware keyloggers would be excessively difficult to detect). There is a level of paranoia that should probably remain confined to the CIA...I think an unencrypted /boot, with the remainder, including swap, encrypted, is reasonable. If you're using LUKS then the most practical next step to stem your paranoia would be to switch to TrueCrypt or something instead which allows for plausible deniability unlike LUKS.
 
Old 11-16-2011, 02:57 AM   #7
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + Xmonad
Posts: 269

Original Poster
Rep: Reputation: 63
Quote:
Originally Posted by T3slider View Post
...I suppose someone could mount /boot as rw and setup a new initrd that logs keystrokes when the password is entered or copies the keyfile if one is used,
Bingo. This attack is described in the link ChickTower posted, and also here https://twopointfouristan.wordpress.com/ which is the article that prompted me to pursue this defense. As for Truecrypt, for no rational reason I just don't trust it, and my threat model is such that plausible deniability is not a requirement.
Hardware-wise I'm not too concerned as I'll be able to tell if someone opened my laptop. An attack on the MBR is supposed to be "much harder", and probably harder to protect against. It should be easy to use a USB key as the systems /boot partition, but of the several methods I have tried, nothing has worked so far.

I really don't think paranoid is an apt description of someone who wants to secure their data. This unencrypted /boot partition is a hole in the security that cryptography is supposed to offer. This attack borders on trivial, and takes just a few minutes to implement. The fix for it should be "easy".
 
Old 11-16-2011, 11:07 PM   #8
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,291

Rep: Reputation: 708Reputation: 708Reputation: 708Reputation: 708Reputation: 708Reputation: 708Reputation: 708
If you want to do this you might want to take a look at the usb-and-pxe-installers directory on your install media (or your favourite mirror). Explore usbimg2disk.sh and write your own script to produce a custom bootable USB stick...there is an example of a modification to usbboot.img in that script to produce a full Slackware installer on a USB stick, which you could adapt to instead copy the proper files from /boot and /boot/initrd-tree and recreate the initrd. It will certainly require some effort on your part since I don't believe anyone has done it before, though I could definitely be wrong. It is definitely doable.

Of course, now if anyone obtains your boot stick they can get the same results that you're afraid of in the first place...
 
Old 11-30-2011, 11:07 PM   #9
ChickTower
LQ Newbie
 
Registered: May 2011
Location: Michigan
Distribution: Slackware
Posts: 18

Rep: Reputation: 11
Quote:
Originally Posted by STDOUBT View Post
ChickTower,
Thanks for your reply, it looks like that article might give me some ideas, but I was really hoping to find something Slackware-specific, or at least a clear way to simply move /boot to a USB stick and have it work. I can't be the first one who wants to do this....
Sorry for the long delay, but I just noticed that there are some pertinent files in the Linux-HOWTOS in my Slackware 13.0 installation. You might see if they help you out any.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Slackware 12.1 + RAID 1 + LVM: Can't boot with or without encrypted filesystem gargamel Slackware 29 08-04-2011 07:19 AM
USB flash drive boot smyrnian Linux - Newbie 7 07-25-2010 08:54 AM
BOOT Linux from USB Flash Drive amreesh tyagi Linux - Newbie 2 11-27-2008 02:57 AM
cannot boot from USB flash drive. keratos Linux - Hardware 13 10-24-2007 08:49 AM
Boot From USB Flash Drive in LILO? clearestchannel Linux - Newbie 1 01-01-2005 09:38 AM


All times are GMT -5. The time now is 03:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration