Full disk encryption is becoming a very popular method of protecting ones self from data theft nowadays, especially among linux users. What someone might not know is that setting up secure full disk encryption isn't as easy as selecting it from a linux installer or choosing the option in some software program. If you use full disk encryption, you could be, and most likely are, vunerable to a multitude of attacks that could render your efforts useless. You're probably at risk if:
This tutorial will show you how these are threats and how to deal with each one of them. I will explain how to solve these problems only on linux, but it should be adaptable to any *nix OS.
Firstly, I'd like to make a note. You may think "Well it takes a 'Uber hacker' to pull off those tactics, why should I worry about that?". Well, if you're wasting all that computing power to encrypt and unencrypt the data as its written and read from your harddrive just to hide porn from your girlfriend, you might want to look into different methods. Full disk encryption is made for the people who have something to hide from other people who are determined enough to learn how to use those tactics and exploit the above encryption holes. If you're hiding something from someone that doesnt have any computer smarts then maybe look into alternate methods such as:
Now that we've cleared that up, lets move on :)
The Kernel is the boss of the operating system. It controls which data goes where and what is allowed to do each thing. You could see it as the rules of the universe, and we are the programs. We can only do what the rules allow us to do. We are limited by gravity, time, our need for food, etc. This godly kernel that is in full control of your computer, is sitting unencrypted on your harddisk. Thats right, there is absolutely zero encryption protection on this piece of software. Someone could walk right in while your computer is off, boot up the computer with a Live CD, and install their very own kernel to replace the old. So when you get home from work, turn on your computer, and enter your encryption code, the new kernel that you are not aware is there could have been modified to send your encryption key to the person who installed the modified kernel via the internet. Now that person has your code and with it access to all the data on your drive.
So why not encrypt the kernel? Problem solved, right? Wrong. When you turn on your computer this is what happens:
See how that works? If we encrypt the kernel, the boot loader would need to unencrypt the kernel, so the boot loader would have to ask for a key. But the bootloader would have to be unencryped, so someone could just as easily edit the boot loader to send them the key, as with the kernel. If we took even another step back and encrypted the Boot loader, the BIOS would have to be unencrypted and ask for the encryption key, and hence the BIOS could be edited. We could build encryption right into the hardware, which would effectively make it very difficult to bypass, but then everybody who bought the hardware would only be able to have one operating system that could not be changed. Imagine being stuck with Windows, or not being able to get rid of Linux if you wanted to install windows again (I cant see why you would want that, though). So obviously hardware companies are not going to do that just to make a few people happy but the rest really unhappy. Especially not when there is a way we can fix the problems ourselves. So how do you do that? I'll tell you :)
There's no security like physical security
What you have to do is make it so its impossible to edit the kernel. To do so, you have to keep the kernel on you at all times. No, I dont mean sticking your laptop up your shirt to go to work, I mean installing your kernel and boot loader onto a USB stick that you can carry around with you around your neck or in your pocket. Then, you know for sure that your kernel hasnt been edited because its been in your own sweaty clutches all day. If you were really paranoid, you might even keep it in a locked safe at night. Unfortunately, you will need a computer that can boot from USB. To enable this, you will have to access the BIOS on your computer and change the settings. The BIOS can be accessed usually just when the system starts up, it should say on the screen that there is a button you can press like F12 or ESC to enter settings. It depends on the computer manufacter and model, but its generally pretty straight forward. Once you're in the BIOS, just set up USB to be the first boot device. It might not be called USB, it could be called external harddrive or something similar. If you need more explicit instructions, or you're not sure if your system supports USB booting, just google around for instructions and im sure you'll find something. If not, it cant hurt to call the company. So now that you've gotten that set up you will of course need a USB drive. They dont need to be very big, 200MB should be more than enough.
Now comes installing Grub, the most common linux bootloader, on your USB stick. By far the easiest way would be to reinstall your operating system, and when doing so, specify your USB drive to be the partition that holds boot and the rest of your harddrive to be encrypted. If you don't want to reinstall your system, you can take the harder way and format your USB stick, copy /boot/ onto it, and manually install grub onto the USB stick. For this, you'll need to unmount /boot/, remount your USB stick in its place, edit /etc/fstab so the line that mounts /boot/ is commented out, and then, finally, run grub-install /dev/sdb (or whatever happens to be the name of your USB stick). That method can be quite complex to new linux users, so my recommendation is to install from scratch unless you know what you're doing.
There you go, your encrypted drives should now be as safe as possible from any attackers you may encounter. One thing I should point out though, is that alot of system updates (mainly kernel updates) need to modify the files on /boot/ to correctly perform the update. You should make sure that your USB stick is plugged in and mounted before you do any system updates.
Imagine for a second yourself in a coffee shop, or somewhere else thats public and you would bring your laptop to, drinking a cup of coffee and playing pacman on your laptop. While you're being an intense 70's gamer, someone just slipped a cord into the back of your computer and is downloading your encryption key. It takes less than a minute, and the only way you could tell is if you happened to be scanning your computer for abnormal activity at the time, or you caught the person with his cord jacked in. As far as I know, its full possible to perform this attack from a hand held device. Someone could sit down, start to talk to you, plug in a cable without you noticing, quickly get the key, and pull it out. What causes this is that firewire allows the two connected devices to access the others RAM directly, with no restrictions at all. So the device thats connected to your system could download everything thats in your RAM, including any passwords, SSH keys, sensitive files, and most importantly your encryption key. Sadly, the only way to really solve this is to completely disable firewire. This can be done from your BIOS sometimes, but just in case not, i'm going to show you a more software based way.
What were going to do is blacklist the kernel module. Remember that kernel I was telling you about? It has things called 'modules' that are added into it so it can handle extra hardware on your system. These modules control things like your ethernet ports, USB ports, firewire ports, and much more. So what we have to do is completely cut off the firewire module from the kernel. The most common driver is ieee1394, however your's might be different. If it doesnt work, consider using the lsmod command to check your loaded modules. To disable the ieee1394 module, run one of these commands are root:
If you run CentOS/Redhat/RHEL/Fedora:
echo "alias 1394 off" >> /etc/modprobe.conf
If you run Debian/Ubuntu:
echo "blacklist ieee1394" >> /etc/modprobe.d/blacklist
For fun, lets talk about the most absolutely unlikely thing to happen: Someone walks into your house, while you are on your computer that has perfect encryption set up, pushes you away from your desk, picks up your computer, drops it into a big cooler full of liquid nitrogen, leaves, and jumps into the back of a big black truck which proceeds to drive away with your system. Why, you ask? Liquid Nitrogen is cold, very cold. In fact, its -196C or -320F. That is enough to freeze virtually anything, including your RAM. When you start up your system and enter your encryption key, the key is needed again and again by your system throughout the time its turned on to unencrypt the data it reads and encrypt the data it writes. Were does it store this key? Obivously not the harddrive, since its too slow and you cant unencrypt something with a encrypted key :P Instead we use the RAM (Random Access Memory). If you're not sure what this is, you will probably want to google it. Going back to the story, these people that now have your computer can now get the encryption key off of your RAM, since the key is litterally frozen into the RAM. Once they have the key, they can use it to unencrypt your harddrive and they have your data. This has happened before, but it was by the government and they need a warrent to perform such a intrusion of privacy. It also costs lots of money to do, and there is virtually no logical way to prevent it but to see it comming. What I would do, if I was expecting government agents to bust down my door (not that I am :P), is set up security cameras and be ready to pull the power plug, throw myself on top of the computer, then hope to buy myself enough time for the encryption key to be wiped from the RAM. That would probably work, assuming that I can stop a bunch of muscle bulging government agents from separating me and the computer for around a minute. Of course, its a little unorthadox to keep a microwave for the sole purpose of throwing harddrives in it unless you're some super corrupt hacker who has broken into thousands of high importance government systems and stolen millions of dollars, and are already under suspicion. So you shouldn't worry about this one, its mainly for informational purposes. ;)
Also, another way this could be executed is if you leave your system alone after its been shut down. RAM has a flaw (well, its only considered a flaw when it comes to encryption) where information that stays in the same spot of the RAM may become 'imprinted' into the RAM. So that even after the system looses power, it may take up to 10 minutes for the information to leave the RAM. Fortunately, there is a workaround that is used commonly now that will move all the information that has been gotten from a encrypted source around periodically to prevent it from being imprinted in the RAM too long. This effectively cuts the waiting time down from 10 or so minutes to 1 minute.
Well, there you go. You have learnt all I have to teach you about encryption, and hopefully put the knowledge to the best of use. Who knows, maybe I just helped someone get interested into a career in cryptography :) If you have any comments, email me at stealth@stealth-x.com.
Posted by Aaron, on 12/27/2009
Excellent formatting, great content. This issue needs to be addressed and you did a great job of it. Keep up the good work :)
Posted by Mike, on 03/23/2010
If your system has a TPM chip, you can use the TPM stack from http://trousers.sourceforge.net/ to give yourself a trusted boot process where the bootloader and kernel are tamper proofed.
Posted by Rudy, on 03/23/2010
Fantastic article! The kernel-on-usb is a very good idea and easily done, even for newbies. I might just try that myself! =)
Posted by Kory, on 03/23/2010
If you are that concerned with these events happening then I think you are too much on the side of paranoia. Also, with a court order they could demand the passcode to access your files but that would require a search warrant and you have nothing to worry about as long as what you were doing is legal. I use encryption to keep the data away from guests using our network and others who do not have physical access.
Posted by Stealth- (Admin), on 03/23/2010
Kory, being on that side of paranoia saves lives in not-so-free countries, so I think you should rethink your statement. Also, yes, they can demand you give the passphrase, however in that case at least you have the option of deciding if the data is worth refusing. For more illegal purposes, taking the small fine issued for not giving the passcode is *far* less of a worry than jail time for whatever you did.
Thanks, Rudy, comments like that are much appreciated :)
Posted by Antarctic monkey, on 03/24/2010
Why not just have the whole Linux system on the usb? Is there a particular advantage of keeping kernel on usb but data on hard-drive? Other than not having a large capacity usb, which nowadays is quite cheap indeed.
Posted by Pastychomper, on 03/24/2010
Good points, nicely put - thanks! Regarding Firewire, there's a kernel option to disable Direct Memory Access for the firewire port while still allowing other uses. Presumably this would slow down any legitimate uses of the port, and I don't know whether some devices would stop working altogether, but it might be worth a try.
Posted by Fred, on 03/24/2010
There are some other things to consider as well. Your keyboard and monitor put out RF signals that can be tracked and decoded. Your keyboard, laptop or computer can be opened and have a device installed that will log keystrokes. Your back to physical security. You need a faraday cage to block leaking RF and a secured location that you can be sure no one tampered with your computer. Only if you can remove all doubt can you be sure. In reality where we live and most of us don't have those kind of budgets TrueCrypt is a good solution. You create an encrypted volume, and place some data that looks like you might want to keep it safe. Then unmount and create a 2nd hidden encrypted partition inside of the volume you had just used. So if you are forced to give up your key, it is to that first set of dummy data, there is no way to prove that you have a 2nd password and more data in the truecrypt volume. Encryption + plausible deniability is a good thing.
Posted by Stealth- (Admin), on 03/24/2010
Antarctic, yes, there is a advantage of keeping the data on the harddrive. Loading information from the USB is MUCH slower than loading data from the harddrive, which makes that unsuitable for putting the linux data onto the harddrive. However, the kernel isn't a problem because it is loaded into memory and only read from the USB stick on bootup.
Hmmm, I wasn't aware of that feature, Pastchomper, thanks for mentioning it :)
Fred, yes, you are definitely right, however RF signal reading technologies are much, much, much more difficult to pull off and so I thought was a little out of the scope of this tutorial. As for Truecrypt, you cannot do full disk encryption in linux and container encryption is VERY unsecure. Many people don't realize the key will, in many cases, get logged to the disk temporarily and therefore available for someone to pull off with data recovery tools.
Posted by Anon, on 10/27/2010
I really appreciate your help, it is very useful to me
Posted by Richard Evans, on 11/07/2010
I don't think rf monitoring is all that difficult. Analog video is 1 mhz all you need after the front end is an amplifying circuit and an adjustable slew rate for the sync signal. Even many laptops still have some form of auxiliary video output and it is active even though it may not be switched in. It will generate the signals. Yes a faraday cage is a good idea. I knew a guy that had his computer hobby room in a back porch and he built the enclosure himself first before his first computer came in the mail. In addition to standard insulation he lined it with tinfoil. His first computer was an Altair.
Breaking in while your away and installing a keylogger is not impossible either. Defeating official curiosity must include rubber hose and water boarding resistant protection stategies. Oh, that's right we don't waterboard any more, we wrap them tightly with saran wrap now so they don't get wet when the water is poured on them. hooray for plausible deniability.
Posted by girl games, on 11/16/2010
Just what I needed, thanks a lot.
Posted by sales tips, on 12/18/2010
THX for sharing.
Posted by facial cleanser, on 12/25/2010
thanks for posting. Great article.
Posted by Bezecke pasy, on 03/14/2011
One of my friends sent me link to this post saying I must definitely have a look at it, cause I am interested in such topics. And he was definitely true! Currently I am only preparing my small site.