How safe is dm-crypt/LUKS? Would TPM make me more secure in this case?

Question

I’ve been looking to purchase a new laptop and I need to have security in mind. I’ve specifically been looking for laptops with discrete or integrated TPM because it’s been my understanding that TPM would improve disk encryption security, but after doing some more research I’ve heard a lot of sources saying that it doesn’t really make a difference and some go so far as to suggest TPM has unpatched vulnerabilities and may even be backdoored by intelligence agencies such as the NSA.

For someone such as myself who is becoming more active in activism and investigative journalism, should I bother with TPM? And how safe is dm-crypt/LUKS? I currently use Linux Mint which I believe uses LUKS by default for disk encryption and I’m wondering how vulnerable it is to attackers with physical access to my laptop.

Answer 1

"should I bother with TPM?"

Yes. Could help you against low-level adversaries and maybe even against the NSA in case it is not backdoored.

"And how safe is dm-crypt/LUKS?"

Safer than no dm-crypt/LUKS.

"and I’m wondering how vulnerable it is to attackers with physical access to my laptop."

Very. Depending on your setup and the attacker it would be possible to install a camera somewhere to watch you typing in your password, install a hardware keylogger, modify other parts of your system like /boot, bootloader, BIOS/UEFI, disk firmware, ...

TPM + Secure Boot could help you with some of those.

Answer 2

If an attacker has physical access to your machine with a cleartext hard drive, he (she) could modify it to spy you (keylogger and so one) quite easily.

If an attacker has physical access to your machine with a LUKS partition, he(she) could theoritically flash a malicious BIOS/UEFI which will launch the installed OS in a kind of hypervisor mode (rootkit)... but less easily.

So he will be able to eavesdrop when you type your password, when you access sensitive data, etc. whatever you are using QubeOS, ClipOS.

TPM is very interesting because the machine can be configured to refuse to boot if the OS or the UEFI was tampered (the UEFI and the OS need to be previously signed). And, as the signature key verification is hardcoded in the TPM, changing it would need some expensive equipment.
But most of the time, TPM work only with the OEM OS pre installed (signed by the OEM). I'm not sure that you can erase it, install a Linux, sign it and ask the TPM to use your key to detect a tamper.

And, as far as I know, TPM are not well standardized yet, not strongly audited too. So, your concerns about unpatched vulnerabilities and backdoor are not paranoid.

Using an encrypted Linux distribution with a coreboot UEFI should keep you as secure as most infosec experts.
You could also consider to use non persistent OS (Live USB executed in the RAM), they are not threaten by tampered OS (but tampered UEFI could still spy them).

I know that puri.sm makes computers based on open hardware and software to decrease the risk of OEM backdoors. It is a very decent level of protection.

Answer 3

TPM will definitely add an extra layer of security to your laptop. if you configure LUKS without TPM you either allow automated mounting or select the prompt option i.e., prompt you before decrypting the disk. So, in either case, you are storing the keys in the disk. (Still secure by kernel)

Whereas if you use TPM your LUKS keys will be encrypted by TPM "Master keys" and TPM perform all operation inside itself and provide the decryption keys. TPM ensures that keys never get out of the system unencrypted. (Somewhat similar to BitLocker)

You can also configure TPM to make your system more secure by implementing the trusted boot. TPM can save you from attacks like "evil maid".

I'll recommend that you should have some knowledge and understanding of TPM and how to use it with LUKS like understanding some basic functionality and features of TPM e.g., Key hierarchies, etc.

Your concern regarding the patches and vulnerabilities is valid, but it also depends on you whether you check for vulnerability regularly and keep your system updated.

But again, if you are not confident with TPM you can go for YubiKeys or smart cards for storing the LUKS keys externally. During boot, you need to input your hardware/smartcard into the laptop, and it will decrypt the disk.

If you are planning to use TPM make sure to use TPM version 2.0.

Also, your concern regarding NSA, there is no proof that NSA has a backdoor implemented in TPM. Don't believe in anything you read online. Always do your research. Microsoft, Google Chromebook, etc. all use TPM 2.0 for the security of their products.

Answer 4

I believe uses LUKS by default for disk encryption and I’m wondering how vulnerable it is to attackers with physical access to my laptop.

If you believe the attacker has had the physical access to your laptop/device, consider it completely compromised and unfit for any purposes.

The attacker could have:

1. Planted a chip to scan and broadcast all key presses, image on the screen, any memory regions.
2. Modified any of EUFI, NIC or disk firmware (it's relatively difficult but three letter agencies can probably do that) to either gain remote access or send any information.

I would highly suggest that you use the most recent Apple hardware, Mac OS X (not Linux) and FileVault as the company is obsessed with proprietary, highly secure components which are extremely difficult to tamper with and Apple offers some really good stuff in terms of information security (they use TPM to verify that all the components involved in booting are digitally signed e.g. unmodified). It's very unlikely you'll ever be able to reach the same level of security protection with commodity x86 components (laptops) and Linux.