LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 09-19-2013, 07:00 PM   #1
hutyerah
Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware
Posts: 39

Rep: Reputation: 16
Passphrase protected keyfile usbs


Hi all,

I've always wanted to unlock my pc with a usb stick AND a passphrase. Currently slackware only allows one or the other. I've made a modification to the initrd.gz init script which allows me to use a keyfile on a luks-encrypted usb stick to unlock filesystems... basically instead of just mounting the usb stick, it tries to unlock it first if it's a luks volume.

It works the same as before, but now you can also specify a filesystem to the mkinitrd -K option too:

mkinitrd ... -K /dev/sdb3:/keyfile ...
mkinitrd ... -K /dev/sdb3:ext2:/keyfile ...

If you don't specify a filesystem it uses the existing auto-detection. But that never worked for me, it tried to mount my ext2 as a vfat (which is why I made the fs mod).

It would still need a mod to mkinitrd to not include vfat if the user specified an fs, though. I thought with the beta out I'd better make it public if I wanted any chance of it being in the release :P
Attached Files
File Type: txt init.patch.txt (1.8 KB, 24 views)
 
Old 09-20-2013, 07:39 AM   #2
gegechris99
Member
 
Registered: Oct 2005
Location: France
Distribution: Slackware 14.1 32bit
Posts: 725
Blog Entries: 3

Rep: Reputation: 77
Quote:
Originally Posted by hutyerah View Post
I've always wanted to unlock my pc with a usb stick AND a passphrase.
Hello,

Apart for the thrill of it, is there any practical reason why someone would want to use this method?

Just curious.

Last edited by gegechris99; 09-20-2013 at 07:39 AM. Reason: typo
 
1 members found this post helpful.
Old 09-20-2013, 08:32 AM   #3
hutyerah
Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware
Posts: 39

Original Poster
Rep: Reputation: 16
Additional security "They" talk about something you know, something you are, and something you have as the three types of auth tokens. The more of them you use to auth, the more secure it is (theoretically). In practice "something you are" tends to be hard to do securely+cheaply, like fingerprints are easily forged, even retina scans are hard to do well. In this case, the something you know is the passphrase and the something you have is the usb stick.

Practically, it helps because if you only have the encrypted disk, it is hard to break because the passphrase is long and strong- i.e. a keyfile. But that's the same as using JUST a usb stick. If someone then manages to get both the usb and the disk, say if you're away, then your pc is still safe (unlike using just the usb stick) because they need the passphrase too. Or, say, if I accidentally leave it in my computer. That may or may not be a thing that happens
 
Old 09-20-2013, 11:35 AM   #4
gegechris99
Member
 
Registered: Oct 2005
Location: France
Distribution: Slackware 14.1 32bit
Posts: 725
Blog Entries: 3

Rep: Reputation: 77
Thank you for explanation.

Quote:
Originally Posted by hutyerah View Post
"They" talk about something you know, something you are, and something you have as the three types of auth tokens.
Good to know that
 
Old 09-22-2013, 02:01 PM   #5
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + a T60p (2007-YS3) = YES
Posts: 263

Rep: Reputation: 62
hutyerah,
Thank you for pushing the envelope. I have yet even to read your patch, but this
sort of mechanism should have been trivial to implement for the end user long ago (IMHO).
 
1 members found this post helpful.
Old 09-22-2013, 02:11 PM   #6
273
Senior Member
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 3,377

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
I thought this was what pam_usb was for? Though I can't say I've tried it myself since I don't have a use for it at present.
 
1 members found this post helpful.
Old 09-22-2013, 06:51 PM   #7
hutyerah
Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware
Posts: 39

Original Poster
Rep: Reputation: 16
Thanks STDOUBT. I agree, that's why I posted this, so hopefully it IS trivial in the next Slackware

273, I guess it's like pam_usb. But you can work around pam_usb (or any non-encryption authentication) when you have physical access to the machine, by booting off another disk and messing with the hard drive. This is encryption so you can't do that. Also, Slackware does not use PAM
 
Old 09-26-2013, 05:23 PM   #8
hutyerah
Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware
Posts: 39

Original Poster
Rep: Reputation: 16
Am I wrong to bump?
 
Old 09-27-2013, 05:25 AM   #9
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 430Reputation: 430Reputation: 430Reputation: 430Reputation: 430
Per the LQ Rules, please do not bump your own thread. Because the LQ membership is global, people in other time zones may not have seen this post yet, and thus it may take some time before a response is received.
http://www.linuxquestions.org/rules.php
 
Old 09-27-2013, 06:08 PM   #10
number22
Member
 
Registered: Sep 2006
Location: Earth
Distribution: Slackware 14.1 Slackware64-current multilib
Posts: 183
Blog Entries: 1

Rep: Reputation: 38
good idea, need to implement more security features, Slackware are named for focusing on robust, simplicity, and security. I wish the standard installation with LUKS option.
 
Old 09-27-2013, 07:16 PM   #11
philanc
Member
 
Registered: Jan 2011
Posts: 65

Rep: Reputation: 26
Quote:
Originally Posted by hutyerah View Post
I've always wanted to unlock my pc with a usb stick AND a passphrase. Currently slackware only allows one or the other. I've made a modification to the initrd.gz init script which allows me to use a keyfile on a luks-encrypted usb stick to unlock filesystems... basically instead of just mounting the usb stick, it tries to unlock it first if it's a luks volume.
This is an interesting idea, from a security standpoint. But if you are ready to insert a USB key at each boot, why not go one step further?

Why not include the kernel and the initrd on the USB stick and boot from it? The keyfile used to unlock the main slackware partition on the hard disk could then be stored _within_ the initrd.

Benefits:

. your setup is more secure: no more risk that viruses compromise your kernel or initrd when you dual-boot with Windows, or when you try a nice (but untrusted) distro on a live CD...

. you protect your trusted slackware partition against so-called "evil maid" attacks (anyone tampering with your PC when you are away)

. you can remove the USB stick and store it safely as soon as the kernel and initrd are loaded (as soon as you start seeing all those kernel messages on the screen). No need to wait for USB drivers to initialize (it may take several seconds). This makes a noticeable difference in usability.

I have been using this approach for a while, and I'd also be interested in having feed-back, comments and suggestions

Phil
 
1 members found this post helpful.
Old 09-29-2013, 12:07 PM   #12
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + a T60p (2007-YS3) = YES
Posts: 263

Rep: Reputation: 62
philanc,

I tried for quite some time to figure out how to do what you're doing.
I was approaching the problem by trying to have the entirety of /boot
on a USB stick. Couldn't get it to work.

Do you have a written tutorial or at least a series of commands with
explanations that you could share?
 
Old 09-29-2013, 05:35 PM   #13
philanc
Member
 
Registered: Jan 2011
Posts: 65

Rep: Reputation: 26
Quote:
Originally Posted by STDOUBT View Post
philanc,

I tried for quite some time to figure out how to do what you're doing.
I was approaching the problem by trying to have the entirety of /boot
on a USB stick. Couldn't get it to work.

Do you have a written tutorial or at least a series of commands with
explanations that you could share?

I don't have any written tutorial or detailed list of commands, but I can roughly explain the steps.

1. I assume that you already have a Slackware installation with the root filesystem in an encrypted partition (using cryptsetup/LUKS). If you don't, this is certainly the most delicate part. Fortunately we have a great guide written by AlienBOB on how to implement this. Look for:
<your-slackware-mirror>/slackware-current/README_CRYPT.TXT
and start with this

2. So now we have a bootable system, with all the root filesystem in an encrypted partition and a boot manager (maybe lilo) in a (usually small) boot partition. For the sake of this dicussion, assume the encrypted root filesystem is in sda8, and the boot partition is sda1.

In sda1, we have the kernel and the initrd used to boot. Let's call them generic-smp and initrd.gz respectively. If I remember correctly, there should be no need to change or rebuild initrd.gz.

3. We can now prepare a USB stick to boot from. Make sure there is nothing valuable on the stick (or make sure you have a backup!) Insert the stick in your PC. To keep it simple, let's assume there is only one partition with a FAT filesystem on it and that the USB device is /dev/sdb and the partition is /dev/sdb1. Mount it somewhere and copy generic-smp and initrd.gz to the USB stick root. create a 'syslinux.cfg' text file with the following:
Code:
  
  default b
  prompt 1
  timeout 5
  
  label b
    kernel /generic-smp
    append initrd=/init.gz
(more details with 'man syslinux', and many tutorials and examples on the web to get a more user-friendly boot menu!)

Now setup the USB stick master boot record. Unmount the stick. (Before performing the steps below, make _sure_ that the USB stick is '/dev/sdb'!!). As root, do:
Code:
   cat /usr/share/syslinux/mbr.bin >/dev/sdb
   syslinux --install /dev/sdb1
   sync
Looking at lilo.conf, there may be additional parameters for the kernel cmdline. If yes, add them to 'append' line in syslinux.cfg. I don't use lilo and don't have it handy so I cannot check it.

4. Now, if your BIOS is setup correctly to allow booting from a USB disk, you should be able to boot from the USB stick into your encrypted partition.

5. Let's add a keyfile for the encrypted partition. The easiest solution is to store it as another file in the USB stick. Please refer to the README_CRYPT.TXT document, section 'Additional passphrases, keyfiles' which explain how to do this.

To embed the keyfile within the initrd is a bit more complex. You must expand the initrd (this is a compressed cpio archive), add the keyfile, modify the cryptsetup invocation to use the keyfile, and recompress the initrd tree. I may add more details on this in a further post if there is some interest.

HTH

Phil
 
2 members found this post helpful.
Old 09-29-2013, 09:40 PM   #14
STDOUBT
Member
 
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + a T60p (2007-YS3) = YES
Posts: 263

Rep: Reputation: 62
Many thanks, philanc.
I hope I get some time soon to try this out!
 
Old 10-01-2013, 09:43 PM   #15
hutyerah
Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware
Posts: 39

Original Poster
Rep: Reputation: 16
philanc, I like your style and would like to subscribe to your newsletter.

But I'm confused... if I put the keyfile in the initrd, then I can't use a passphrase as well, right? I guess if I did this I'd effectively have my regular slackware boot partition just on the usb stick as well as my encrypted keyfile partition.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
crypttab with nfs mounted keyfile guna_pmk Linux - Security 2 04-15-2011 06:14 AM
[SOLVED] Displaying the contents of buffers in a protected and non-protected critical section mashhype Programming 5 11-22-2010 09:41 PM
Keyfile & Password using cryptsetup dissident85 Linux - General 1 09-13-2009 01:32 PM
Problem with Live USBs joeblurton Linux - General 7 01-06-2009 07:38 PM
Problem for certain usbs vibinlakshman Linux - Newbie 2 12-24-2008 09:13 AM


All times are GMT -5. The time now is 01:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration