Re: Unencrypted boot with encrypted root

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Ellen Papsch <ellen.papsch@wine-logistix.de>
To: Pierre Neidhardt <mail@ambrevar.xyz>, guix-devel@gnu.org
Subject: Re: Unencrypted boot with encrypted root
Date: Fri, 03 Apr 2020 19:16:34 +0200	[thread overview]
Message-ID: <d90905feac53ae8ed431c7428baf09ae87013658.camel@wine-logistix.de> (raw)
In-Reply-To: <87k12wsg36.fsf@ambrevar.xyz>

Am Freitag, den 03.04.2020, 18:13 +0200 schrieb Pierre Neidhardt:
> Ellen Papsch <ellen.papsch@wine-logistix.de> writes:
> 
> > leaving /boot unencrypted allows attackers to plant malware
> > relatively
> > easy. They can mount the partition without ado and replace the
> > kernel
> > with a malicious one.
> 
> How can you do that if the root partition is encrypted?
> 

Your partition table would have at least two partitions:

no, type, mount point
0, Linux fileystem, /boot
1, Linux LUKS, /

/boot is completely independent of the root partition. Other
distributions copy the kernel to /boot. I just looked in GuixSD and
grub.cfg references kernel and initramfs in /gnu/store. Which is good
for kernel modification prevention but also prevents separate /boot.
Florian links to #40273, which discusses copying the files out of the
store. That would turn the tables.

When turned, to plant the malware, you would boot another system from
CD, USB or network. If the BIOS (and boot) is locked down, you would
extract the hard drive. That's where the cage comes in.

> 
> > For a long time I personally used root encrypted systems and found
> > the
> > hassle not worth it. Encrypting /home and external hard drives
> > should
> > cut it. If you suspect the machine has been tampered with, don't
> > boot
> > don't touch it. Even the hard disk firmware may have been modified.
> 
> My main motivation is that if my laptop gets stolen or lost, I don't
> want
> anyone to access my personal data.
> 
> Encrypted /home is fine for this purpose.
> 

I would second that, although there is a chance data may leak to /var.
That would depend on the program. While separate /boot is not possible,
encrypting /home and /var may be the convenient compromise to mitigate
a stolen/lost machine. (though convenience is again degraded by two
passphrase prompts and wait times)

> By the way, is it possible to use the user password to unlock the
> $HOME partition?
> 

AFAIK GNU/Linux userland does not support it. GDM or another login
manager would have to integrate that feature somehow. Maybe (maybe)
there is some PAM way, but that's a wild guess.

You can avoid a passphrase prompt by using a key file on an external
medium. That poses the danger of the medium failing, make sure to have
a passphrase in addition (and not forget that :-). From a quick glance
at the manual, there seems no way of specifying a key file, though
maybe if you dig deeper...

Regards

next prev parent reply	other threads:[~2020-04-03 17:16 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-02  8:59 Unencrypted boot with encrypted root Pierre Neidhardt
2020-04-03 15:32 ` pelzflorian (Florian Pelz)
2020-04-03 15:44 ` Ellen Papsch
2020-04-03 16:13   ` Pierre Neidhardt
2020-04-03 17:16     ` Ellen Papsch [this message]
2020-04-03 19:56       ` Guillaume Le Vaillant
2020-04-04  9:02         ` Pierre Neidhardt
2020-05-17 15:39         ` Pierre Neidhardt
2020-05-20  8:49           ` Guillaume Le Vaillant
2020-05-20  9:42             ` Pierre Neidhardt
2020-04-03 19:44   ` pelzflorian (Florian Pelz)
2020-04-04  8:12     ` Ellen Papsch
2020-04-04 10:18       ` pelzflorian (Florian Pelz)
2020-04-06 12:00         ` Ellen Papsch
2020-04-07  9:46           ` Ludovic Courtès
2020-04-07 11:34             ` Ellen Papsch
2020-04-07 20:19               ` Ludovic Courtès
2020-04-08 12:37                 ` Ellen Papsch
2020-04-07 15:05             ` Alex Griffin
2020-04-07 16:47               ` Vagrant Cascadian
2020-04-08 12:25                 ` Ellen Papsch
2020-04-08 15:07                   ` Alex Griffin
2020-04-08 16:22                   ` Vagrant Cascadian
2020-04-08  7:57               ` Pierre Neidhardt
2020-04-08 12:19                 ` Alex Griffin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d90905feac53ae8ed431c7428baf09ae87013658.camel@wine-logistix.de \
    --to=ellen.papsch@wine-logistix.de \
    --cc=guix-devel@gnu.org \
    --cc=mail@ambrevar.xyz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).