[lug] Installfest next Saturday.

[bgiles at coyotesong.com]

> bgiles at coyotesong.com wrote:
>
>> 1) Debian now supports encrypted swap with an ephemeral key.
>> ("ephemeral"
>> since a random key is selected every time you reboot the system.)  This
>> should be a no-brainer -- there's a modest performance hit but it
>> ensures
>> that otherwise encrypted information and keys won't be leaked through
>> the
>> swap partition.
>
> I don't get it.  Anyone gets into the box, they're accessing the swap
> partition through the unencryption - so what good is this?

Partition-based encryption is intended to stop people from reading data
from a stolen disk or backup, not on a live system.  For that you need to
use something different, e.g., CFS.

>> Most people keep their encryption keys on USB disks.  They just need to
>> have it plugged in when the boot the system.
>
> Ahhh.. I see.  Weird.

Why is it weird?  It's even the obvious basis for two-factor
authentication where you have to enter a passphrase that's used to decrypt
the key stored on the USB drive.

BTW you can also set it up to use a passphrase, but the keyspace of a
random 128- or 256-bit number is much larger than any reasonable
passphrase.

>> You'll still need a separate, unencrypted /boot partition.
>
> Heh.  I bet.

You would be surprised how many people overlook that since they think that
the only reason people use separate /boot partitions is to keep those
cylinders low enough for ancient boot loaders to see.

>> So he created a disk that would normally boot to a small Windows
>> partition.  But he also had a USB disk containing a boot image that
>> would
>> launch an encrypted root partition on the laptop.  The USB disk
>> undoubtably lived on his keyring, or someplace similarly secure.
>
> Weren't USB keys banned UK to US during the big recent flap?  All
> personal electronics?

I want the FedEx franchise on the unsanitized side of the security
checkpoint.

Seriously, by the time they're banning USB keys you're dealing with a
system that's gone so far off the deep end that any rational plans are
pointless.  In this case all you can do is check your laptop and mail your
USB key to yourself.  Or just toss it into the trash -- you have backups
at home, right?

Check that.  You can do one rational thing -- you know you'll lose
physical control of the hardware so you MUST encrypt the disk.  That way
the damage is limited when it is stolen from your unlocked checked
baggage.

>> The instructions are in the cryptsetup package documentation.  Basically
>> just need to change the 'swap' entry in /etc/fstab to refer to 'cswap'
>> instead of a physical device, then define 'cswap' in the /etc/crypttab
>> file.  (Or is it the /etc/encryptdisks file?).  Only takes a few
>> minutes.
>
> I guess I "get it" but I don't think it adds as much value as people
> think... ?

This one assumes a somewhat more knowledgeable attacker, but you can see a
surprising amount if you just 'dd if=/dev/hda2 of=- | strings'.  (Or
whatever your swap space is.)

> Mental note to self: Stop losing laptops.  Hah.  Maybe better yet, stop
> doing work on laptops.  Go home, enjoy the evening, work on desktop
> machines at work.

What's a desktop machine?  At my last few jobs all of the machines are
laptops.  Sometimes they're supposed to stay in the office, sometimes
they're supposed to stay with the employee.