8

I have the need for a company laptop (Dell e6540) that contains our java application on it to go out for evaluation purposes. For this reason I would like to make sure that the HDD is protected from customers (or anyone else) being able to take our java app off of the laptop and view the source. We have taken many necessary precautions and hardened the OS putting it into a custom "kiosk-like" mode.

My last obstacle is to get the key for disk encryption stored on the TPM of the Dell Laptop. This way I can have an encrypted disk without giving a customer the password/key. This has proven to be a nightmare so far under Ubuntu 12. All of the documents I find are at least 4-5 years old. The interaction of using LUKS with TPM-LUKS and Trousers is unstable on the newer linux versions (at best)

The requirements are Disk Encryption (either partition or FDE) without having to give the password to the users. Is anyone aware of a solution on Linux? This is seamless on Windows using BitLocker. I have offered up SecureDoc as a solution but they do not see their product as a good fit.

agregory
  • 81
  • 1
  • 1
  • 2
  • Dont know if this is exactly what you want. But have you tried TrueCrypt? It can encrypt any volume. – Anton Garcia Dosil May 20 '14 at 23:28
  • 1
    It appears that you forgot to ask a question. – tylerl May 21 '14 at 01:44
  • @AntonGarciaDosil TrueCrypt isn't well integrated on Linux — I've yet to see a use case where it wasn't more difficult to use than the Linux solution, except for volumes that need to be usable on Windows as well. – Gilles 'SO- stop being evil' May 21 '14 at 09:25
  • 1
    Disk encryption with a TPM-stored key should be possible — but the setup might not be easy. How to do this isn't a security question, though, so it's off-topic here; it would be on-topic on [unix.se]. If you're looking for alternative solutions, that's kind of ok for this site. – Gilles 'SO- stop being evil' May 21 '14 at 09:26
  • Flicker which is a research project about 2 years old might still be able to do that for you. It allows you to write your custom bits of code w/ access to sealed storage based on the code's hash. https://sparrow.ece.cmu.edu/group/flicker.html – Steve Dodier-Lazaro Aug 27 '14 at 22:07

2 Answers2

6

I suspect TPM-LUKS is what you're looking for.

It uses luks encrypted volume which is widely supported and store the password/key within the TPM (NVRAM).

The key can be sealed (Trusted Computing terminology) against the proper boot sequence (BIOS, PCI ROMs, MBR, Boot Loader, etc). In other words, the key is derived from the running environment. If something change, the key won't be the same hence decryption of the volume doesn't work.

northox
  • 1,403
  • 16
  • 26
2

This is a security question because you really want a DRM solution. Let's ignore the fact that if they try they'll beat anything you use. ;) You just want to make it a pain to steal your stuff to deter casual attackers. Here's a ground-up solution for you:

  1. Disable USB, networking, etc in BIOS to prevent injections or leaks via these. Just leave enough devices on to let them interact with the app locally. If it is a networked app, simulate that with an onboard client+server & disable networking hardware anyway. And password-lock changes to BIOS.

  2. If having hard time with open stuff, use an easy-to-use commercial FDE product such as BestCrypt or PGP Whole Disk Encryption. Both support TPM's.

  3. System should autoboot into limited privilege account that only can demo the software. You seem to have this part covered.

  4. Use a RAMdisk or a low privilege temp folder for any persistent storage app needs during demo's.

Nick P
  • 667
  • 4
  • 4