0

I am looking for a security-centered Linux OS that allows you to take the /boot partition on a thumb-drive to alleviate concerns of an Evil Maid Attacks! What OS is it easy to remove the /boot partition and carry on a thumb-drive? How would you go about removing the /boot partition, and automatically mounting the thumb-drive so the computer will boot?

schroeder
  • 123,438
  • 55
  • 284
  • 319
BestReasonofWiseMen
  • 21
  • 2
  • 2
    The bootloader is not the same as /boot. A bootloader is what's responsible for bringing up the kernel, while /boot/ contains the kernel itself. The bootloader is what's attacked in an Evil Maid attack – Daisetsu Dec 02 '18 at 21:11
  • Is it possible to have the boot-loader on a thumb-drive? The problem with encrypted disks in my experience is that any individual with physical access to the machine can restart the computer, and install the look alike boot-loader in order to capture your disk-encryption password. The only known solution that is simple that I am aware of is to keep a text document open with text only known to you. Unless a key-logger is physically installed in your keyboard, or there are pinhole cameras over-looking your keyboard. @Daisetsu – BestReasonofWiseMen Dec 02 '18 at 21:48
  • 1
    Update: safesploit answered this question in his reply! I should have read all replies first before asking another follow-up question. Thanks! @Daisetsu – BestReasonofWiseMen Dec 02 '18 at 21:50
  • @BestReasonofWiseMen Yes, it is possible to put the bootloader on the thumb drive. – forest Dec 03 '18 at 03:19
  • @Daisetsu You can even boot using only a bootloader and no separate boot partition. – forest Dec 03 '18 at 03:19

1 Answers1

1

This idea has been answered before on Unix StackExchange. Furthermore, you can do this yourself with nearly any Linux based distribution. Also, for insight What is the /boot partition really for?.

Preparing a USB flash drive to store /boot/. So, then you will specify your BIOS to boot from the USB drive to access the GRUB bootloader and the Linux kernel, instead of the storage drive where the OS is installed.

(1) Prepare your usb flash boot-device under existing Debian installation using package gnome-disk-utility the following way (which is not necessarily the only way but tested and works for me).

(1.1) Format device with MBR scheme.

(1.2) Create single ext2 partition making it occupy all available space.

(1.3) After step 1.2 completes go to "Edit partition" and set the bootable flag.

(2) Install Debian using its standard installer.

(2.1) Boot your installation media, i.e. Debian installation cd/dvd or another usb stick with .iso image written on it.

(2.2) Choose country/language, setup users and passwords, answer all the routine questions (no interest here) till disk partition dialog.

(2.3) Select manual partitioning.

(2.4) Create your raid/lvm/encrypted volumes on your main disk drive. On top of it there will be a file system, probably ext4.

(2.5) Go to properties of this file system and select mount as / and "done with this partition".

(2.7) Find the usb stick in the list, it should have ext2 on it.

(2.8) Go to its properties and select mount as /boot and optionally noatime in additional flags. There is an option of formatting the partiton, DO NOT do it! "Keep the files".

(2.9) Select "Done with this partition".

(2.10) Select "Finish partitioning" or similar, installation process should continue with some dialogs that are straightforward.

(2.11) After a few other dialog that are straightforward and not of our interest here, there will be a dialog with a question where to install GRUB, which you should agree to install in your /dev/sdX, where X is your usb boot flash.

The key part is LUKS cannot encrypt /boot/. So, this is vulnerable to modification. Instead, we will move the /boot/ partition onto another storage device, particularly a USB flash drive due to portability and boot from it to then load and decrypt the OS. However, this USB drive is still unencrypted and vulnerable to unauthorised modifications.

safesploit
  • 1,827
  • 8
  • 18
  • 1
    This isn't true. You absolutely can encrypt `/boot` with LUKS, as long as you use a bootloader like GRUB2 that supports LUKS. I actually have _my_ boot partition encrypted with it. – forest Dec 03 '18 at 03:20
  • Do you know of any OS's that use GRUB2? If the /boot partition is encrypted, then evil maid attacks are no longer a concern? @forest – BestReasonofWiseMen Dec 03 '18 at 15:28
  • @forest While `/boot/` is being used for both the bootloader (GRUB) and the kernel, it wasn't possible. We can see the GRUB is what needs to be moved, but I was opting for a method which the OS installer would do the work for us. @BestReasonofWiseMen Debian uses GRUB2. – safesploit Dec 03 '18 at 22:34
  • @BestReasonofWiseMen No, evil maid attacks are still a concern even with an encrypted `/boot`, since an attacker could simply modify the bootloader. You'd have to use something like [this](https://github.com/QubesOS/qubes-antievilmaid/tree/master/anti-evil-maid) to mitigate that issue, or keep the bootloader on an external USB stick. – forest Dec 04 '18 at 01:39