LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Passphrase protected keyfile usbs (http://www.linuxquestions.org/questions/slackware-14/passphrase-protected-keyfile-usbs-4175477792/)

hutyerah 09-19-2013 08:00 PM

Passphrase protected keyfile usbs
 
1 Attachment(s)
Hi all,

I've always wanted to unlock my pc with a usb stick AND a passphrase. Currently slackware only allows one or the other. I've made a modification to the initrd.gz init script which allows me to use a keyfile on a luks-encrypted usb stick to unlock filesystems... basically instead of just mounting the usb stick, it tries to unlock it first if it's a luks volume.

It works the same as before, but now you can also specify a filesystem to the mkinitrd -K option too:

mkinitrd ... -K /dev/sdb3:/keyfile ...
mkinitrd ... -K /dev/sdb3:ext2:/keyfile ...

If you don't specify a filesystem it uses the existing auto-detection. But that never worked for me, it tried to mount my ext2 as a vfat (which is why I made the fs mod).

It would still need a mod to mkinitrd to not include vfat if the user specified an fs, though. I thought with the beta out I'd better make it public if I wanted any chance of it being in the release :P

gegechris99 09-20-2013 08:39 AM

Quote:

Originally Posted by hutyerah (Post 5031021)
I've always wanted to unlock my pc with a usb stick AND a passphrase.

Hello,

Apart for the thrill of it, is there any practical reason why someone would want to use this method?

Just curious.

hutyerah 09-20-2013 09:32 AM

Additional security :) "They" talk about something you know, something you are, and something you have as the three types of auth tokens. The more of them you use to auth, the more secure it is (theoretically). In practice "something you are" tends to be hard to do securely+cheaply, like fingerprints are easily forged, even retina scans are hard to do well. In this case, the something you know is the passphrase and the something you have is the usb stick.

Practically, it helps because if you only have the encrypted disk, it is hard to break because the passphrase is long and strong- i.e. a keyfile. But that's the same as using JUST a usb stick. If someone then manages to get both the usb and the disk, say if you're away, then your pc is still safe (unlike using just the usb stick) because they need the passphrase too. Or, say, if I accidentally leave it in my computer. That may or may not be a thing that happens ;)

gegechris99 09-20-2013 12:35 PM

Thank you for explanation.

Quote:

Originally Posted by hutyerah (Post 5031359)
"They" talk about something you know, something you are, and something you have as the three types of auth tokens.

Good to know that ;)

STDOUBT 09-22-2013 03:01 PM

hutyerah,
Thank you for pushing the envelope. I have yet even to read your patch, but this
sort of mechanism should have been trivial to implement for the end user long ago (IMHO).

273 09-22-2013 03:11 PM

I thought this was what pam_usb was for? Though I can't say I've tried it myself since I don't have a use for it at present.

hutyerah 09-22-2013 07:51 PM

Thanks STDOUBT. I agree, that's why I posted this, so hopefully it IS trivial in the next Slackware ;)

273, I guess it's like pam_usb. But you can work around pam_usb (or any non-encryption authentication) when you have physical access to the machine, by booting off another disk and messing with the hard drive. This is encryption so you can't do that. Also, Slackware does not use PAM :)

hutyerah 09-26-2013 06:23 PM

Am I wrong to bump?

XavierP 09-27-2013 06:25 AM

Per the LQ Rules, please do not bump your own thread. Because the LQ membership is global, people in other time zones may not have seen this post yet, and thus it may take some time before a response is received.
http://www.linuxquestions.org/rules.php

number22 09-27-2013 07:08 PM

good idea, need to implement more security features, Slackware are named for focusing on robust, simplicity, and security. I wish the standard installation with LUKS option.

philanc 09-27-2013 08:16 PM

Quote:

Originally Posted by hutyerah (Post 5031021)
I've always wanted to unlock my pc with a usb stick AND a passphrase. Currently slackware only allows one or the other. I've made a modification to the initrd.gz init script which allows me to use a keyfile on a luks-encrypted usb stick to unlock filesystems... basically instead of just mounting the usb stick, it tries to unlock it first if it's a luks volume.

This is an interesting idea, from a security standpoint. But if you are ready to insert a USB key at each boot, why not go one step further?

Why not include the kernel and the initrd on the USB stick and boot from it? The keyfile used to unlock the main slackware partition on the hard disk could then be stored _within_ the initrd.

Benefits:

. your setup is more secure: no more risk that viruses compromise your kernel or initrd when you dual-boot with Windows, or when you try a nice (but untrusted) distro on a live CD...

. you protect your trusted slackware partition against so-called "evil maid" attacks (anyone tampering with your PC when you are away)

. you can remove the USB stick and store it safely as soon as the kernel and initrd are loaded (as soon as you start seeing all those kernel messages on the screen). No need to wait for USB drivers to initialize (it may take several seconds). This makes a noticeable difference in usability.

I have been using this approach for a while, and I'd also be interested in having feed-back, comments and suggestions

Phil

STDOUBT 09-29-2013 01:07 PM

philanc,

I tried for quite some time to figure out how to do what you're doing.
I was approaching the problem by trying to have the entirety of /boot
on a USB stick. Couldn't get it to work.

Do you have a written tutorial or at least a series of commands with
explanations that you could share?

philanc 09-29-2013 06:35 PM

Quote:

Originally Posted by STDOUBT (Post 5036852)
philanc,

I tried for quite some time to figure out how to do what you're doing.
I was approaching the problem by trying to have the entirety of /boot
on a USB stick. Couldn't get it to work.

Do you have a written tutorial or at least a series of commands with
explanations that you could share?


I don't have any written tutorial or detailed list of commands, but I can roughly explain the steps.

1. I assume that you already have a Slackware installation with the root filesystem in an encrypted partition (using cryptsetup/LUKS). If you don't, this is certainly the most delicate part. Fortunately we have a great guide written by AlienBOB on how to implement this. Look for:
<your-slackware-mirror>/slackware-current/README_CRYPT.TXT
and start with this

2. So now we have a bootable system, with all the root filesystem in an encrypted partition and a boot manager (maybe lilo) in a (usually small) boot partition. For the sake of this dicussion, assume the encrypted root filesystem is in sda8, and the boot partition is sda1.

In sda1, we have the kernel and the initrd used to boot. Let's call them generic-smp and initrd.gz respectively. If I remember correctly, there should be no need to change or rebuild initrd.gz.

3. We can now prepare a USB stick to boot from. Make sure there is nothing valuable on the stick (or make sure you have a backup!) Insert the stick in your PC. To keep it simple, let's assume there is only one partition with a FAT filesystem on it and that the USB device is /dev/sdb and the partition is /dev/sdb1. Mount it somewhere and copy generic-smp and initrd.gz to the USB stick root. create a 'syslinux.cfg' text file with the following:
Code:

 
  default b
  prompt 1
  timeout 5
 
  label b
    kernel /generic-smp
    append initrd=/init.gz

(more details with 'man syslinux', and many tutorials and examples on the web to get a more user-friendly boot menu!)

Now setup the USB stick master boot record. Unmount the stick. (Before performing the steps below, make _sure_ that the USB stick is '/dev/sdb'!!). As root, do:
Code:

  cat /usr/share/syslinux/mbr.bin >/dev/sdb
  syslinux --install /dev/sdb1
  sync

Looking at lilo.conf, there may be additional parameters for the kernel cmdline. If yes, add them to 'append' line in syslinux.cfg. I don't use lilo and don't have it handy so I cannot check it.

4. Now, if your BIOS is setup correctly to allow booting from a USB disk, you should be able to boot from the USB stick into your encrypted partition.

5. Let's add a keyfile for the encrypted partition. The easiest solution is to store it as another file in the USB stick. Please refer to the README_CRYPT.TXT document, section 'Additional passphrases, keyfiles' which explain how to do this.

To embed the keyfile within the initrd is a bit more complex. You must expand the initrd (this is a compressed cpio archive), add the keyfile, modify the cryptsetup invocation to use the keyfile, and recompress the initrd tree. I may add more details on this in a further post if there is some interest.

HTH

Phil

STDOUBT 09-29-2013 10:40 PM

Many thanks, philanc.
I hope I get some time soon to try this out!

hutyerah 10-01-2013 10:43 PM

philanc, I like your style and would like to subscribe to your newsletter.

But I'm confused... if I put the keyfile in the initrd, then I can't use a passphrase as well, right? I guess if I did this I'd effectively have my regular slackware boot partition just on the usb stick as well as my encrypted keyfile partition.


All times are GMT -5. The time now is 09:44 AM.