Full disk encryption is becoming a very popular method of protecting ones self from data theft nowadays, especially among linux users. What someone might not know is that setting up secure full disk encryption isn't as easy as selecting it from a linux installer or choosing the option in some software program. If you use full disk encryption, you could be, and most likely are, vunerable to a multitude of attacks that could render your efforts useless. You're probably at risk if:
This tutorial will show you how these are threats and how to deal with each one of them. I will explain how to solve these problems only on linux, but it should be adaptable to any *nix OS.
Firstly, I'd like to make a note. You may think "Well it takes a 'Uber hacker' to pull off those tactics, why should I worry about that?". Well, if you're wasting all that computing power to encrypt and unencrypt the data as its written and read from your harddrive just to hide porn from your girlfriend, you might want to look into different methods. Full disk encryption is made for the people who have something to hide from other people who are determined enough to learn how to use those tactics and exploit the above encryption holes. If you're hiding something from someone that doesnt have any computer smarts then maybe look into alternate methods such as:
Now that we've cleared that up, lets move on :)
The Kernel is the boss of the operating system. It controls which data goes where and what is allowed to do each thing. You could see it as the rules of the universe, and we are the programs. We can only do what the rules allow us to do. We are limited by gravity, time, our need for food, etc. This godly kernel that is in full control of your computer, is sitting unencrypted on your harddisk. Thats right, there is absolutely zero encryption protection on this piece of software. Someone could walk right in while your computer is off, boot up the computer with a Live CD, and install their very own kernel to replace the old. So when you get home from work, turn on your computer, and enter your encryption code, the new kernel that you are not aware is there could have been modified to send your encryption key to the person who installed the modified kernel via the internet. Now that person has your code and with it access to all the data on your drive.
So why not encrypt the kernel? Problem solved, right? Wrong. When you turn on your computer this is what happens:
See how that works? If we encrypt the kernel, the boot loader would need to unencrypt the kernel, so the boot loader would have to ask for a key. But the bootloader would have to be unencryped, so someone could just as easily edit the boot loader to send them the key, as with the kernel. If we took even another step back and encrypted the Boot loader, the BIOS would have to be unencrypted and ask for the encryption key, and hence the BIOS could be edited. We could build encryption right into the hardware, which would effectively make it very difficult to bypass, but then everybody who bought the hardware would only be able to have one operating system that could not be changed. Imagine being stuck with Windows, or not being able to get rid of Linux if you wanted to install windows again (I cant see why you would want that, though). So obviously hardware companies are not going to do that just to make a few people happy but the rest really unhappy. Especially not when there is a way we can fix the problems ourselves. So how do you do that? I'll tell you :)
There's no security like physical security
What you have to do is make it so its impossible to edit the kernel. To do so, you have to keep the kernel on you at all times. No, I dont mean sticking your laptop up your shirt to go to work, I mean installing your kernel and boot loader onto a USB stick that you can carry around with you around your neck or in your pocket. Then, you know for sure that your kernel hasnt been edited because its been in your own sweaty clutches all day. If you were really paranoid, you might even keep it in a locked safe at night. Unfortunately, you will need a computer that can boot from USB. To enable this, you will have to access the BIOS on your computer and change the settings. The BIOS can be accessed usually just when the system starts up, it should say on the screen that there is a button you can press like F12 or ESC to enter settings. It depends on the computer manufacter and model, but its generally pretty straight forward. Once you're in the BIOS, just set up USB to be the first boot device. It might not be called USB, it could be called external harddrive or something similar. If you need more explicit instructions, or you're not sure if your system supports USB booting, just google around for instructions and im sure you'll find something. If not, it cant hurt to call the company. So now that you've gotten that set up you will of course need a USB drive. They dont need to be very big, 200MB should be more than enough.
Now comes installing Grub, the most common linux bootloader, on your USB stick. By far the easiest way would be to reinstall your operating system, and when doing so, specify your USB drive to be the partition that holds boot and the rest of your harddrive to be encrypted. If you don't want to reinstall your system, you can take the harder way and format your USB stick, copy /boot/ onto it, and manually install grub onto the USB stick. For this, you'll need to unmount /boot/, remount your USB stick in its place, edit /etc/fstab so the line that mounts /boot/ is commented out, and then, finally, run grub-install /dev/sdb (or whatever happens to be the name of your USB stick). That method can be quite complex to new linux users, so my recommendation is to install from scratch unless you know what you're doing.
There you go, your encrypted drives should now be as safe as possible from any attackers you may encounter. One thing I should point out though, is that alot of system updates (mainly kernel updates) need to modify the files on /boot/ to correctly perform the update. You should make sure that your USB stick is plugged in and mounted before you do any system updates.
Imagine for a second yourself in a coffee shop, or somewhere else thats public and you would bring your laptop to, drinking a cup of coffee and playing pacman on your laptop. While you're being an intense 70's gamer, someone just slipped a cord into the back of your computer and is downloading your encryption key. It takes less than a minute, and the only way you could tell is if you happened to be scanning your computer for abnormal activity at the time, or you caught the person with his cord jacked in. As far as I know, its full possible to perform this attack from a hand held device. Someone could sit down, start to talk to you, plug in a cable without you noticing, quickly get the key, and pull it out. What causes this is that firewire allows the two connected devices to access the others RAM directly, with no restrictions at all. So the device thats connected to your system could download everything thats in your RAM, including any passwords, SSH keys, sensitive files, and most importantly your encryption key. Sadly, the only way to really solve this is to completely disable firewire. This can be done from your BIOS sometimes, but just in case not, i'm going to show you a more software based way.
What were going to do is blacklist the kernel module. Remember that kernel I was telling you about? It has things called 'modules' that are added into it so it can handle extra hardware on your system. These modules control things like your ethernet ports, USB ports, firewire ports, and much more. So what we have to do is completely cut off the firewire module from the kernel. The most common driver is ieee1394, however your's might be different. If it doesnt work, consider using the lsmod command to check your loaded modules. To disable the ieee1394 module, run one of these commands are root:
If you run CentOS/Redhat/RHEL/Fedora:
echo "alias 1394 off" >> /etc/modprobe.conf
If you run Debian/Ubuntu:
echo "blacklist ieee1394" >> /etc/modprobe.d/blacklist
For fun, lets talk about the most absolutely unlikely thing to happen: Someone walks into your house, while you are on your computer that has perfect encryption set up, pushes you away from your desk, picks up your computer, drops it into a big cooler full of liquid nitrogen, leaves, and jumps into the back of a big black truck which proceeds to drive away with your system. Why, you ask? Liquid Nitrogen is cold, very cold. In fact, its -196C or -320F. That is enough to freeze virtually anything, including your RAM. When you start up your system and enter your encryption key, the key is needed again and again by your system throughout the time its turned on to unencrypt the data it reads and encrypt the data it writes. Were does it store this key? Obivously not the harddrive, since its too slow and you cant unencrypt something with a encrypted key :P Instead we use the RAM (Random Access Memory). If you're not sure what this is, you will probably want to google it. Going back to the story, these people that now have your computer can now get the encryption key off of your RAM, since the key is litterally frozen into the RAM. Once they have the key, they can use it to unencrypt your harddrive and they have your data. This has happened before, but it was by the government and they need a warrent to perform such a intrusion of privacy. It also costs lots of money to do, and there is virtually no logical way to prevent it but to see it comming. What I would do, if I was expecting government agents to bust down my door (not that I am :P), is set up security cameras and be ready to pull the power plug, throw myself on top of the computer, then hope to buy myself enough time for the encryption key to be wiped from the RAM. That would probably work, assuming that I can stop a bunch of muscle bulging government agents from separating me and the computer for around a minute. Of course, its a little unorthadox to keep a microwave for the sole purpose of throwing harddrives in it unless you're some super corrupt hacker who has broken into thousands of high importance government systems and stolen millions of dollars, and are already under suspicion. So you shouldn't worry about this one, its mainly for informational purposes. ;)
Also, another way this could be executed is if you leave your system alone after its been shut down. RAM has a flaw (well, its only considered a flaw when it comes to encryption) where information that stays in the same spot of the RAM may become 'imprinted' into the RAM. So that even after the system looses power, it may take up to 10 minutes for the information to leave the RAM. Fortunately, there is a workaround that is used commonly now that will move all the information that has been gotten from a encrypted source around periodically to prevent it from being imprinted in the RAM too long. This effectively cuts the waiting time down from 10 or so minutes to 1 minute.
Well, there you go. You have learnt all I have to teach you about encryption, and hopefully put the knowledge to the best of use. Who knows, maybe I just helped someone get interested into a career in cryptography :) If you have any comments, email me at firstname.lastname@example.org.