LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-17-2019, 06:07 AM   #16
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 815
Blog Entries: 7

Rep: Reputation: 200Reputation: 200Reputation: 200

Ok, let's take this slowly.

You encrypt the disk, then you decrypt it when you use it. Why do you want to encrypt the OS?

Secondly, it is almost mandatory to have /home on a separate partition from /. Additionally you could make a separate /tmp as well. You'd encrypt both /home and /tmp and put some "sane" options on those partitions. "nodev" etc. There are many ways to secure /tmp, but it's something else than encryption. Just search the web for how to secure /tmp, there will be many pointers there.

If you worry about things, like /var, you can also add separate partitions for those kind of things. Just think about it, and do it right. Encryption is just one type of protection, but you cannot use any content on an encrypted drive unless you decrypt it first.

Regarding SWAP, either you need it or you do not need it. With modern hardware and RAM amount, you probably do not even need to have a SWAP partition. If you do, there are various ways to do that.

But in the end, I don't think you'll need to encrypt your / (root), unless you have some special needs (evil maid) and refuse to secure your system in other ways.
 
Old 08-17-2019, 07:04 PM   #17
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,255

Rep: Reputation: 130Reputation: 130
You should worry about /var. That's where the system and some applications write log files, write cache data, and various other stuff that could potentially contain pieces of your sensitive data or information about it stored in /home.

Many people (me included) hibernate their personal machines. That means data from RAM is written to disk. Again, that data can easily contain sensitive information, and be retrieved.

Encryption is not a one stop shop for security, and neither did I claim it to be. Encrypting disks is of real use when the disk is not being used. When it is unlocked, mounted on a running system the usefulness of hard drive encryption diminishes. That's when other security measures come into play. On a machine that runs 24x7 it may be of limited use. However, on a laptop that is taken to places, and as it risk of being left unattended it's of real use.

OK. So we're interested in encrypting data. Let's put our paranoia hats on and consider this to extremes. We don't encrypt the OS, and we accidentally leave the machine while going for coffee. What's to stop a person replacing aide, chkrootkit, selinux/apparmour configuration with compromised versions and then replace various binaries with modified versions that allow backdoors or shipping your data once the disk is unlocked and mounted?

Of course, with this amount of paranoia /boot should be a removable device that is never left with the machine.

This might be a little extreme, but most distros make this so easy to setup up, and performance impact on modern machines is negligible, to my mind there is no reason not to encrypt it.
 
Old 08-18-2019, 05:32 AM   #18
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 815
Blog Entries: 7

Rep: Reputation: 200Reputation: 200Reputation: 200
Quote:
Originally Posted by phil.d.g View Post
OK. So we're interested in encrypting data. Let's put our paranoia hats on and consider this to extremes. We don't encrypt the OS, and we accidentally leave the machine while going for coffee. What's to stop a person replacing aide, chkrootkit, selinux/apparmour configuration with compromised versions and then replace various binaries with modified versions that allow backdoors or shipping your data once the disk is unlocked and mounted?
Bios password? Grub password? Keeping an eye on your computer? Screenlocking password? Root password?

How exactly is someone going to tamper with your root partition? Do you work for the CIA in China? Sure, then you'll need to consider some other things. You work in an important company? You work with confidential data? Then the above should be more then enough to secure your machine.
Worry about cracking/hacking over the internet? How does encryption prevent that when you use the machine? You can't run an OS with encrypted files, they have to be decrypted first.

If you reasonably want to secure your data and perhaps beyond that, you need to separate things and isolate that data on ideally different disks, but more realistically on different partitions.

You seem to focus on /var, and this is reasonable. So how do you secure your /var? By encrypting the OS? Nope.. You need to isolate /var and secure it. Either on a different disk or different partition. Sure, encrypting it is a good idea, but it's not the solution. If you think about it you need to take multiple steps, including securing /tmp and a separate partition with it's own security considerations. /var is NOT the OS, it's a utility area for the OS. If you use SeLinux and have set this up correctly and can manage that, I don't even know why you are posting this thread, you'd be better of combining SeLinux with isolation of things instead of wanting to encrypt the OS.

Sure, you can encrypt the root partition, go ahead, but it's not really that helpful. As you said, it is mostly helpful if you combine it with a separate /boot partition on a USB thumbdrive or something similar.

So, back to your original question. This thread is "encryption of OS, part of it or none", my personal answer is part of it. Isolate those parts and encrypt them, but also take other necessary steps to secure them, because encryption is not some magic solution.

Other topics to look into:
"how to secure /tmp on Linux"
"securing /tmp Linux"
"how to secure /var on Linux"
"securing /var on Linux"
"securing GNU/Linux with SeLinux.
 
Old 08-18-2019, 07:31 AM   #19
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,508

Rep: Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811
Quote:
Originally Posted by phil.d.g View Post
We don't encrypt the OS, and we accidentally leave the machine while going for coffee. What's to stop a person replacing aide, chkrootkit, selinux/apparmour configuration with compromised versions and then replace various binaries with modified versions that allow backdoors or shipping your data once the disk is unlocked and mounted?
Encryption doesn't actually prevent that. You need some kind of signature, and you need to keep the verification key and verifying program with you (otherwise those can be replaced as well).
 
Old 08-18-2019, 08:44 AM   #20
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 815
Blog Entries: 7

Rep: Reputation: 200Reputation: 200Reputation: 200
Quote:
Originally Posted by ntubski View Post
Encryption doesn't actually prevent that. You need some kind of signature, and you need to keep the verification key and verifying program with you (otherwise those can be replaced as well).
Add to that good routines and passive security like screenlock timer and password, possibly with the combination of hibernation. Alternatively just password on root and terminal timeout. I personally prefer sleep, and I don't know how random persons will tamper with my computer physically if it is locked and in sleep mode and require a password to unlock or login to a getty. I also like the option for when you close your laptop lid, you can send your system directly to sleep or hibernation if you want. That way you have a very easy procedure when you leave your desk. I still think for a timely situation like a workplace, suspend is a better function than hibernation.

If my partition was encrypted or not would make no difference is this scenario at all. For hibernation it might, depending on how you do it, but then again you could secure your hibernated computer in other ways than encryption to prevent tampering.
If both your BIOS/UEFI and GRUB is secured with a password and configured correctly, then the evil maid cannot boot a liveUSB and tamper with an non-encrypted partition either.

Anyhow, I think the CORE to all this is to figure out "what security level is necessary for my situation". That's 1st priority and if you do not answer that first, anything else is just vanity.

Last edited by zeebra; 08-18-2019 at 08:50 AM.
 
Old 08-18-2019, 05:14 PM   #21
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,255

Rep: Reputation: 130Reputation: 130
Quote:
Originally Posted by zeebra View Post
Bios password? Grub password? Keeping an eye on your computer? Screenlocking password? Root password?
All these methods are easily circumventable, and it doesn't take a CIA Chinaman to do it.

Quote:
Originally Posted by zeebra View Post
Worry about cracking/hacking over the internet? How does encryption prevent that when you use the machine?
It doesn't. Like I said, the usefulness of encrypting drives is diminished when you are using it. The alternative that has been talked about is encrypting /home. That needs to be unlocked to login too. How are you protecting that from remote attacks?

Quote:
Originally Posted by zeebra View Post
You can't run an OS with encrypted files, they have to be decrypted first.
Agreed. I don't encrypt my drive to protect my information when I'm using it. I encrypt it for when I'm not. The laptop spends far more time turned off and unattended than it does on and in use. The desktop is on 24x7 and isn't encrypted.

Quote:
Originally Posted by zeebra View Post
So, back to your original question. This thread is "encryption of OS, part of it or none", my personal answer is part of it. Isolate those parts and encrypt them, but also take other necessary steps to secure them, because encryption is not some magic solution.
Right. And the original question is encrypting the OS, not hardening the complete system. You are right, and I have already agreed that encryption is not a one stop shop. It has a purpose, and a very useful one, but one that has nothing to do with protecting it when the machine is turned on.


Quote:
Originally Posted by ntubski View Post
Encryption doesn't actually prevent that. You need some kind of signature, and you need to keep the verification key and verifying program with you (otherwise those can be replaced as well).
Only when the machine is turned on. When it's turned off, encryption does a pretty good job of it. I agree encryption of the OS is useless when its running, but so is encrypting /home.

Quote:
Originally Posted by zeebra View Post
You seem to focus on /var.
Because bits of your data you thought were encrypted in /home could end up here, and under your proposal, unencrypted.
 
Old 08-18-2019, 06:40 PM   #22
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,508

Rep: Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811Reputation: 1811
Quote:
Originally Posted by phil.d.g View Post
Quote:
Quote:
We don't encrypt the OS, and we accidentally leave the machine while going for coffee. What's to stop a person replacing aide, chkrootkit, selinux/apparmour configuration with compromised versions and then replace various binaries with modified versions that allow backdoors or shipping your data once the disk is unlocked and mounted?
Encryption doesn't actually prevent that. You need some kind of signature, and you need to keep the verification key and verifying program with you (otherwise those can be replaced as well).
Only when the machine is turned on. When it's turned off, encryption does a pretty good job of it.
Well, not really:

https://en.wikipedia.org/wiki/Disk_e...urity_concerns
Quote:
Also, most of full disk encryption schemes don't protect from data tampering (or silent data corruption, i.e. bitrot).
 
Old 08-18-2019, 07:40 PM   #23
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,255

Rep: Reputation: 130Reputation: 130
Quote:
Originally Posted by ntubski View Post
Well, not really
Fair point.

However, that tampering is limited pretty much to corruption. You wouldn't be able to (to any practical purpose) replace specific binaries with trojaned ones, or retrieve data, and wikipedia does go on to say you can mitigate that concern by using a filesystem that does data integrity checks.

In terms of corrupted data. Backups?
 
Old 08-19-2019, 03:07 AM   #24
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 815
Blog Entries: 7

Rep: Reputation: 200Reputation: 200Reputation: 200
Quote:
Originally Posted by phil.d.g View Post
Because bits of your data you thought were encrypted in /home could end up here, and under your proposal, unencrypted.
No, I proposed a separate partition for /var, and encryption of that partition.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What's none means in command mount -t usbfs none /proc/bus/usb ? viktor2000 Linux - Newbie 1 08-30-2012 07:53 AM
redhat 6 gpg2 none gui encryption Xris718 Linux - Security 2 06-15-2012 10:56 AM
How to grep *.info;mail.none;authpriv.none;cron.none; in /etc/syslog.conf sharadchhetri Linux - Server 9 01-06-2012 02:55 PM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 08:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration