LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-29-2020, 05:20 PM   #1
bmxakias
Member
 
Registered: Jan 2016
Posts: 235

Rep: Reputation: Disabled
Question Full disk encryption useless as it seems easy to bypass?


Hello

I was thinking to use the full disk encryption that most modern linux distros offer like Ubuntu .....

The problem seems that if i set an encryption key for full disk encryption all someone that is need to change it or add a new key and be able to read my data is the root password.

The root password seems very easy change also with physical access....

I was looking for a solution that no one without that encryption key will be able to access my data even with physical access...

Am i wrong? Do i miss something?

Please let me know....

Thank you
 
Old 06-29-2020, 08:13 PM   #2
tinfoil3d
Member
 
Registered: Apr 2020
Location: Japan/RJCC
Distribution: debian, lfs, whatever else i need in qemu
Posts: 226

Rep: Reputation: Disabled
Just don't give that "someone" the key, that's the idea.
Encryption is there exactly to protect your data in the event of physical theft.
HOWEVER, it's easy to capture the key by infecting your initrd/cryptsetup binary via other means so you have to make sure no one can access the boot usb if we're talking about rootfs encryption.

Last edited by tinfoil3d; 06-29-2020 at 08:29 PM.
 
Old 06-29-2020, 09:01 PM   #3
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 4,866

Rep: Reputation: 1771Reputation: 1771Reputation: 1771Reputation: 1771Reputation: 1771Reputation: 1771Reputation: 1771Reputation: 1771Reputation: 1771Reputation: 1771Reputation: 1771
My experience with full disk encryption (on company-owned Windows laptops) came with these rules.
Unencrypted USB drives were not to be used.
They couldnít boot to USB or CD
They were not to be removed from the property unless they were turned off (shut down)
They were not to be left unattended and unlocked, even at your desk (cubicle).

One could get dinged if those rules were broken. Repeat offenders would be dismissed...and that did happen. (This was a Fortune 500 company on the DJIA)
Encryption only protects the Ďputer when itís off. The disk has to be decrypted to operate. It doesnít prevent theft or cracking.
Disclaimer: Iíve no experience with it on Linux.
 
3 members found this post helpful.
Old 06-29-2020, 09:11 PM   #4
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: A few
Posts: 4,828

Rep: Reputation: 1435Reputation: 1435Reputation: 1435Reputation: 1435Reputation: 1435Reputation: 1435Reputation: 1435Reputation: 1435Reputation: 1435Reputation: 1435
Quote:
Originally Posted by bmxakias View Post

Am i wrong? Do i miss something?
Yes.

The superuser password or other passwords protect the data on the running PC from unauthorized access.

If somebody steals your PC, they can remove the disk, connect it to a different computer and access the data without superuser password. This is where encryption comes in. The data on the stolen disk can only be decrypted with the passphrase (more correctly, in case you use LUKS, the passphrase en/decrypts the master key, which en/decrypts the data).

Read the news for stories like "200 million credit card numbers on hard disks found in garbage". Were those disks encrypted, the data would be safe.

In short:
  • Root password to protect data on the running computer
  • Encryption passphrase to protect data on a stolen disk
If you have files that you want to protect from somebody breaking into your computer, encrypt those files with GPG (or other tools).

Last edited by berndbausch; 06-29-2020 at 09:16 PM.
 
2 members found this post helpful.
Old 06-30-2020, 12:46 AM   #5
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,918

Rep: Reputation: 3250Reputation: 3250Reputation: 3250Reputation: 3250Reputation: 3250Reputation: 3250Reputation: 3250Reputation: 3250Reputation: 3250Reputation: 3250Reputation: 3250
Physical access to a machine - especially one that is powered-on and unlocked - negates all security. End of discussion.

Using the logon pass{word,phrase} for encryption as well is fine if it's strong enough. However this arrangement seems most common in ditros that are trying to make things "easy" for the user, or trying to make Windows users feel at home.

Compromised security is just that - but it needn't be what you choose to use.
 
1 members found this post helpful.
Old 06-30-2020, 01:50 AM   #6
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 14,616
Blog Entries: 9

Rep: Reputation: 4099Reputation: 4099Reputation: 4099Reputation: 4099Reputation: 4099Reputation: 4099Reputation: 4099Reputation: 4099Reputation: 4099Reputation: 4099Reputation: 4099
Quote:
Originally Posted by bmxakias View Post
The problem seems that if i set an encryption key for full disk encryption all someone that is need to change it or add a new key and be able to read my data is the root password.
These are two different things. If you fully encrypt the disk, then you cannot use the system at all without the key. Not root, not any other user.

This was explained by berndbausch above, but I thought I'd make it more clear.

Of course, if you use the same password for both (encryption and root account), then you're right.
 
Old 06-30-2020, 06:12 AM   #7
agillator
Member
 
Registered: Aug 2016
Distribution: Mint 19.1
Posts: 390

Rep: Reputation: Disabled
There is one other option you might not be aware of. If you do not really want to encrypt the entire disk but just one or more partitions you can use veracrypt. It can be set up for 'deniability' if you wish, i.e. you can't tell that it is there if it is not mounted. Of course, as anything else, once it is mounted it is accessed like a regular partition so it only protects when unmounted or off. It has been a while since I have used it and I can't remember for sure how an encrypted partition appears if you list them, for example with gparted. I think if you go with maximum deniability that it appears as unallocated unless you do some real forensic examination but I am not sure. This is not the disk encryption you were referring to, but it may suit your purposes.
 
Old 06-30-2020, 11:15 AM   #8
bmxakias
Member
 
Registered: Jan 2016
Posts: 235

Original Poster
Rep: Reputation: Disabled
I am talking for NOT a running PC.

The methods for changing/bypassing the encryption key are:


Method 1:
=========
Press Super.

Type Disk Utility and launch the program with the same name.

Select the encrypted partition.

Click Change passphrase.


Method 2:
=========
Ubuntu uses LUKS to encrypt partitions and LVMs.

LUKS supports eight key slots per partition. The cryptsetup luksAddKey and cryptsetup luksRemoveKey can be used to add and remove keys from the slots. cryptsetup luksDump can tell you which slots have keys in them.

Basically the right way to do this is you want to add a key to a new slot, test that you can successfully use the new key, and then when you are ready, delete the old key.

During the boot process, when you are asked for the key, it should tell which block device it's trying to unlock. That's the partition you need to apply the cryptsetup commands to.

So use cryptsetup to add a key, reboot, and try the new key. Once you can confirm that works, you can delete the old key.


Method 3:
=========
https://www.benburwell.com/posts/res...rypted-ubuntu/
or
https://alvinalexander.com/linux-uni...password-luks/


If on all the above cases the full disk decryption key is needed then i am fine !!!!

The goal is to set a full disk encryption key and then close the PC. Then to read the contents of the disk should be able ONLY with the full disk decryption key.

But they don't specify that ....

Thanks all of you !
 
Old 06-30-2020, 11:19 AM   #9
tinfoil3d
Member
 
Registered: Apr 2020
Location: Japan/RJCC
Distribution: debian, lfs, whatever else i need in qemu
Posts: 226

Rep: Reputation: Disabled
Of course you need to first provide any of slots keys to decrypt the master key and successfully add a new one/replace existing one.
 
Old 07-02-2020, 12:00 AM   #10
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,290

Rep: Reputation: 62
You could also look at using 2FA like google-authentication, or Yubi-keys to encrypt the luks partitions as well, this will give a second level of protection if the password for the luks partitions is compromised.
 
Old 07-02-2020, 12:09 AM   #11
tinfoil3d
Member
 
Registered: Apr 2020
Location: Japan/RJCC
Distribution: debian, lfs, whatever else i need in qemu
Posts: 226

Rep: Reputation: Disabled
And where do you suppose you put that 2fa in the disk? Controller firmware? Good shot, have fun playing with it. Your password should never be compromised unless you give it away because it must be completely unique. As for using keys on usb drives, you have to have a copy because usb drives die too.
 
1 members found this post helpful.
Old 07-02-2020, 07:41 AM   #12
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,572

Rep: Reputation: 1874Reputation: 1874Reputation: 1874Reputation: 1874Reputation: 1874Reputation: 1874Reputation: 1874Reputation: 1874Reputation: 1874Reputation: 1874Reputation: 1874
Quote:
Originally Posted by bmxakias View Post
I am talking for NOT a running PC.

The methods for changing/bypassing the encryption key are:


Method 1:
=========
Press Super.

Type Disk Utility and launch the program with the same name.
This requires a running PC, yes?

This one is about changing user account passwords, not disk encryption passwords.

This one is a bit confusing, because it says at the end
Quote:
In my case I hadnít lost the password I had in Key Slot 0, I just could never remember it,
I guess that means it was written down?
 
Old 07-02-2020, 09:04 PM   #13
php
Member
 
Registered: Jun 2001
Location: USA
Distribution: Slackware
Posts: 826

Rep: Reputation: 30
Good points here.
 
Old Yesterday, 10:30 AM   #14
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 182

Rep: Reputation: Disabled
I use a regular SanDisk USB key to boot my kernel partition, full disk encryption enabled on the HDD itself and boot loader secured, and if that key isn't in the drive it falls through to the black screen/blinking cursor bit. Anyone who had physical access to my drive without the USB would still need the password to unlock.

Your decryption password, as other users have pointed out, has to be different from your root password. I've been toying with the idea of using a 4096-bit file of random data as a sort of token for that purpose, stored on the USB thusly negating the need for a password entirely.

Perhaps either one of those suggestions can help you out?
 
Old Yesterday, 01:41 PM   #15
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 14,704

Rep: Reputation: 4801Reputation: 4801Reputation: 4801Reputation: 4801Reputation: 4801Reputation: 4801Reputation: 4801Reputation: 4801Reputation: 4801Reputation: 4801Reputation: 4801
https://www.lisenet.com/2013/luks-ad...volume-header/
if I remember well you cannot add a new key with luksAddKey without knowing a working key. Otherwise the whole luks setup would be completely useless.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Volume Encryption or Full Disk Encryption with Veracrypt? lisamint Linux - Security 4 11-07-2019 08:43 AM
How to have luks encryption with keyfile OR passphrase (efi full disk encryption including boot)? byroncollege Linux - Security 2 03-30-2017 07:45 AM
Bypass Linux Disk Encryption Authentication by Pressing the Enter Key for 70 Seconds drew2x Linux - Security 8 11-15-2016 09:29 PM
Mint 18 Full disk encryption VS Veracrypt Full Disk encryption: Help a Noob Decide Please ! APeacefulRig Linux - Security 2 11-11-2016 08:10 AM
How do I Use Suse 10.1? Seems stable, but useless. I am lost! Khal03 SUSE / openSUSE 3 06-25-2006 02:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration