Full Disk Encryption with Two-factor Authentication for Ubuntu: How?

9

2

Background Information

I'm a Linux newbie recently weaned off Windows. I'm currently using Ubuntu 11.04 without full disk encryption. Only my home directory is encrypted, and with eCryptFS. Lately, I've begun to notice that the encryption isn't as transparent as it should be. VMWare, for example, sometimes runs into problems for virtual machines stored in my encrypted home directory, so I simply moved the virtual machines to an unencrypted location and linked to it from my encrypted home directory. But that's besides the point: I've realized it's actually not very secure to leave the system unencrypted since an open source operating system like Ubuntu is very easy to modify to divulge information it's supposed to keep secret.

Goal

I'd like to be able to have full disk encryption work in conjunction with a key device and a password for pre-boot authentication.

Requirements/Details

  1. The entire disk must be encrypted. At a minimum, the disk consists of individual partitions which are all encrypted. If it's possible to hide even the partitions with encryption, I'll go for it. The more transparent the encryption is, the better; I should not have to use my computer any differently or configure anything else.
  2. The device used to unlock and boot the encrypted partition must be a small external portable device. This serves two purposes: the boot loader is much less likely to be altered for malicious purposes since it'll stay with me when not in use; and the key files to decrypt the disk will not be found anywhere on the encrypted disk itself in any form.
  3. The key files should be encrypted with a password. Should I lose both my computer and my USB device, the data and operating system will still be safe. If I lose the USB key or it's compromised, I can create another clean one from a backup. No information is divulged in either case. Of course, if I lose my computer, it's inconsequential.

Yes, I have looked at guides from many places, but the problem is that they don't address all of the requirements (especially number 3). I'm pretty sure my requirements are common enough that someone has tried and successfully implemented such a setup already. I'd be grateful if any Linux pro could share a solution.

Kevin Li

Posted 2011-07-02T07:04:05.077

Reputation: 91

2Re "since an open source operating system like Ubuntu is very easy to modify to divulge information it's supposed to keep secret." - You'd be amazed at how easy it is to convince closed source OSes to do the same. The fact that a program is open-source means nothing about its security or insecurity against local attacks. – user1686 – 2011-07-02T10:54:20.827

Answers

2

There's a simple way to have full disk encryption that requires the presence of a particular thumb drive AND your password to boot.

What you do is detach the LUKS header from your fully-encrypted hard drive and store it on your thumb drive.

I'll assume you already have the following setup:

# /dev/sda1 is the boot partition (100MB)
# /dev/sda2 is the encrypted partition
parted /dev/sda mklabel msdos
parted /dev/sda -- mkpart primary ext2 1M 200M
parted /dev/sda -- mkpart primary ext4 200M -100M
cryptsetup luksFormat /dev/sda2

Create a copy of the luks header and erase it from the local device:

mkdir /media/ramdisk && mount -t tmpfs -osize=20m,rw tmpfs /media/ramdisk
cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /media/ramdisk/header.img
dd if=/dev/urandom of=/dev/sda2 bs=1M count=2

Run the last step several times if you're the target of a high-budget agency. I've also created a ramdisk to hold the header temporarily so it won't linger around afterwards.

With your usb device in /dev/sdb, make a 2MB partition and load the header onto it:

parted /dev/sdb -- mklabel MSDOS
parted /dev/sdb -- mkpart primary 1M 3M
dd if=/media/ramdisk/header.img of=/dev/sdb1

Right now, everything in /dev/sda2 looks like random data, and you have your header in /dev/sdb1. To access the encrypted drive manually you use:

cryptsetup luksOpen --header /dev/sdb1 /dev/sda2 rootfs
mount /dev/mapper/rootfs /target

The next step is to have your boot process ask for the pendrive to be inserted on boot. I found it easier to just assume it will be there and fail otherwise. First, find out your devices' id and UUID:

find -L /dev/disk/by-id/ -samefile /dev/sdb1
/dev/disk/by-id/usb-Generic-_Compact_Flash-part1
find -L /dev/disk/by-id/ -samefile /dev/sda2
/dev/disk/by-id/scsi-SATA_ST3320820AS_5QF28W6V-part2

blkid /dev/sdb1
/dev/sdb1: UUID="63347546-2db3-4bc1-9414-1142739a4c9f" TYPE="crypto_LUKS"

Next edit your /etc/crypttab line to look like this:

root /dev/disk/by-id/scsi-SATA_ST3320820AS_5QF28W6V-part2 none luks,header=/dev/disk/by-id/usb-Generic-_Compact_Flash-part1

(You may need this patch to get support for the header option in crypttab)

Last but not least, update your initram:

update-initramfs -u

You could take this a step further and actually have the whole boot partition loaded on the usb drive. The author of this article was on this very site doing a follow-up.

There are many different approaches you can take, with varying degrees of security and convinience.

A particular note about security: if your passphrase is compromised, anyone with a copy of the header will be able to decrypt the data, even if you change the passphrase later on.

GnP

Posted 2011-07-02T07:04:05.077

Reputation: 1 266

1

I know that TrueCrypt is available for OSX, Windows and Linux. You are able to do two levels of encryption for the whole drive. I've used it on Debian with AES full disk encryption. It requires the password on boot to access the data on the hard drive.

kobaltz

Posted 2011-07-02T07:04:05.077

Reputation: 14 361

two levels of encryption for the whole drive != two factor auth – GnP – 2015-07-02T19:05:58.380

3I thought TrueCrypt full disk encryption only worked with Windows. – Kevin Li – 2011-07-06T07:07:16.567

Asked: 2011-07-02T07:04:05.077

Viewed: 2 855 times

Active: 2015-07-02T19:04:51.423