[lug] Installfest next Saturday.
Nate Duehr
nate at natetech.com
Mon Aug 21 17:16:29 MDT 2006
bgiles at coyotesong.com wrote:
>> bgiles at coyotesong.com wrote:
>>
>>> 1) Debian now supports encrypted swap with an ephemeral key.
>>> ("ephemeral"
>>> since a random key is selected every time you reboot the system.) This
>>> should be a no-brainer -- there's a modest performance hit but it
>>> ensures
>>> that otherwise encrypted information and keys won't be leaked through
>>> the
>>> swap partition.
>> I don't get it. Anyone gets into the box, they're accessing the swap
>> partition through the unencryption - so what good is this?
>
> Partition-based encryption is intended to stop people from reading data
> from a stolen disk or backup, not on a live system. For that you need to
> use something different, e.g., CFS.
Ok. But most swap attacks are done on live systems by far, aren't they?
Wouldn't a simpler patch be to erase/write-over swap at shutdown?
(Sure would get annoying, though... would take forever...)
>>> Most people keep their encryption keys on USB disks. They just need to
>>> have it plugged in when the boot the system.
>> Ahhh.. I see. Weird.
>
> Why is it weird? It's even the obvious basis for two-factor
> authentication where you have to enter a passphrase that's used to decrypt
> the key stored on the USB drive.
I guess I'm going by the fact that most laptop stealing today (and it's
on the rise) is a bump-and-go -- you're USING the laptop when they take
it. Some guy walks up, snags your laptop off your outdoor table at *$
coffee shop while you're on their wireless, and runs off with it to a
waiting car. You used to not hear about laptops being stolen while they
were ON and the user was logged in, but now it's more commonplace than
the "left it on a train" variety of "theft".
> BTW you can also set it up to use a passphrase, but the keyspace of a
> random 128- or 256-bit number is much larger than any reasonable
> passphrase.
Understand. But if they take your USB key WITH the machine since it's
up and running... and once the machine is on and running, if you remove
the key does it crash or keep running with all data exposed (until the
battery dies)?
>>> You'll still need a separate, unencrypted /boot partition.
>> Heh. I bet.
>
> You would be surprised how many people overlook that since they think that
> the only reason people use separate /boot partitions is to keep those
> cylinders low enough for ancient boot loaders to see.
I got in the habit of separate /boot way back in the "bad old days" on
LILO systems and IDE drives. :-)
>>> So he created a disk that would normally boot to a small Windows
>>> partition. But he also had a USB disk containing a boot image that
>>> would
>>> launch an encrypted root partition on the laptop. The USB disk
>>> undoubtably lived on his keyring, or someplace similarly secure.
>> Weren't USB keys banned UK to US during the big recent flap? All
>> personal electronics?
>
> I want the FedEx franchise on the unsanitized side of the security
> checkpoint.
Whoo yeah. Forgot about that one. :-)
> Seriously, by the time they're banning USB keys you're dealing with a
> system that's gone so far off the deep end that any rational plans are
> pointless. In this case all you can do is check your laptop and mail your
> USB key to yourself. Or just toss it into the trash -- you have backups
> at home, right?
They did it, at least for a time...
> Check that. You can do one rational thing -- you know you'll lose
> physical control of the hardware so you MUST encrypt the disk. That way
> the damage is limited when it is stolen from your unlocked checked
> baggage.
I guess I "get it" a little more, but eventually it's going to come down
to a fob that stays on your person, in a pocket or keyring that if the
laptop is more than X distance from you it won't operate. I swear.
Of course considering that computers are more dangerous to people than
firearms -- (that'll get some folks riled up! prove me wrong!) -- maybe
having a "personal safety" on them to keep them from operating away
from trained personnel isn't such a bad idea after all? :-) :-) :-)
>>> The instructions are in the cryptsetup package documentation. Basically
>>> just need to change the 'swap' entry in /etc/fstab to refer to 'cswap'
>>> instead of a physical device, then define 'cswap' in the /etc/crypttab
>>> file. (Or is it the /etc/encryptdisks file?). Only takes a few
>>> minutes.
>> I guess I "get it" but I don't think it adds as much value as people
>> think... ?
>
> This one assumes a somewhat more knowledgeable attacker, but you can see a
> surprising amount if you just 'dd if=/dev/hda2 of=- | strings'. (Or
> whatever your swap space is.)
Luckily most laptop stealers have no idea who or which laptop they're
targeting. You suppose there are some folks out there that ARE
targeting certain laptops? (I'd virtually guarantee it...)
>> Mental note to self: Stop losing laptops. Hah. Maybe better yet, stop
>> doing work on laptops. Go home, enjoy the evening, work on desktop
>> machines at work.
>
> What's a desktop machine? At my last few jobs all of the machines are
> laptops. Sometimes they're supposed to stay in the office, sometimes
> they're supposed to stay with the employee.
LOL... same here. Ours are supposed to stay with us OR be left in the
office locked up. So mine sits in the same bag I keep my personal Mac
in, rides around with me, gets lugged everywhere, and only gets turned
on if I get a call I can't fix from an SSH session. :-)
Then it gets stuck in the docking station at the office every day.
Once in a while I boot it up at home and back it up to the USB disk
(takes too long to do it at work, I'd waste four hours just waiting for
it), using IBM's imaging software that came with the machine, which is
probably against someone's policy somewhere -- but the tiny little USB
hard disk holder for a laptop-sized drive stays with the machines also
in the same bag. (Nope, no off-site storage.)
Sad Reason: The company doesn't have a comprehensive backup strategy
for desktops or laptops. We don't even have enough on-line shared disk
space to back our own data up to a backed-up server. Silly.
The policy pretty much is... "Here's a USB CD burner, stored in a locked
cabinet that you can sign out -- make backups if you feel like it."
Nice, eh?
I decided I'd handle making full backups and the physical security of
those backups is my problem... and the laptop never has development code
or anything "not released" on it other than some support documentation
I'm reviewing from time to time anyway.
But MY personal work isn't deemed important enough for networked backup
space, I guess. :-) :-) :-)
Makes one feel loved and needed when IT won't back up your data anywhere
automatically for you or even give you server space to do it yourself.
:-)
Nate
More information about the LUG
mailing list