Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
LUKS ask for passphrase after waking up from sleep
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
luckylinux
n00b
n00b


Joined: 17 Mar 2012
Posts: 30

PostPosted: Sat Oct 27, 2012 5:03 pm    Post subject: LUKS ask for passphrase after waking up from sleep Reply with quote

Until now I always encrypted my whole / (with a separated unencrypted /boot) partition, however since I almost always put my computer to sleep instead of turning it off, encryption seems to be uneffective.


The reason for this is that if someone steals my PC and doesn't reboot it (or the battery dies), they will have access to all of my data - if they manage to login on the computer (which IMHO can be prevented by something like grsecurity or putting a maximum # of login attemps before locking the system - or rebooting it) - they would be able to see all of my data and settings.

I see now there is an alternative that may be able to solve this problem but would require a few additionnal configuration (editing the init scripts, ...): "luksSuspend" / "luksResume". I would therefore need to leave unencrypted the following directories:

  • /boot (expecially if using GPT)
  • /
  • /sbin (for cryptsetup)


I don't know if other directories should also left unencrypted. Since all init scripts are in /etc/rc.d, maybe they should as well be left unencrypted but that's a BIG security risk (/etc usually contains all networking passwords like VPN's, maybe other devices' encryption keys, ...). Not sure if a random-key encrypted swap would pose a problem (probably it does).


Did anyone of you try to implement luksSuspend / luksResume? How did you do that?
Or are there others alternatives?

Remark: I'm looking to implement suspend to ram (also known as "sleep" / "standby mode" / "suspend") with encryption support. I'm NOT looking to implement suspend to disk (also known as "hibernate"). Since almost all of my PCs run on SSDs swap would be nonsense. For a desktop I may as well put a HDD dedicated for swap, but with 16GB+ RAM I don't think I'll ever need it (but who knows :? ).

Edit: I'd also like to be able to mount my encrypted partition(s) over SSH (using the Dropbear trick into the initramfs image)
Back to top
View user's profile Send private message
rufnut
Apprentice
Apprentice


Joined: 16 May 2005
Posts: 184

PostPosted: Sat Dec 15, 2012 1:54 am    Post subject: Reply with quote

Quote:
Remark: I'm looking to implement suspend to ram (also known as "sleep" / "standby mode" / "suspend") with encryption support. I'm NOT looking to implement suspend to disk (also known as "hibernate"). Since almost all of my PCs run on SSDs swap would be nonsense. For a desktop I may as well put a HDD dedicated for swap, but with 16GB+ RAM I don't think I'll ever need it (but who knows :? ).


Hi, I don't run SSD but if I did, I would still hibernate.

Code:
 free
             total       used       free     shared    buffers     cached
Mem:      16362728    5217692   11145036          0     135720    3418856
-/+ buffers/cache:    1663116   14699612
Swap:     10485756          0   10485756


I don't think my 10GB swap gets used for much anyway.

Otherwise maybe you could look at Tresor.

I was suspending before with a similar setup to you but just adding:
Code:
real_resume=/dev/whatever/swap resume=/dev/whatever/swap

the above was enough to make it work once I resized my swap in the encrypted lvm container.

Quote:

Edit: I'd also like to be able to mount my encrypted partition(s) over SSH (using the Dropbear trick into the initramfs image)


This has also been done but has a minor vulnerability.

I don't know much about this subject but it seems to just work for me.
(never thought I would say that about linux and its abilities let alone encryption.)

:)
Back to top
View user's profile Send private message
tholin
n00b
n00b


Joined: 04 Oct 2008
Posts: 44

PostPosted: Tue Sep 10, 2013 9:27 pm    Post subject: Reply with quote

I also had the same idea and found these two guides for arch linux.

http://waaaaargh.github.io/gnu&linux/2013/08/06/lukssuspend-with-encrypted-root-on-archlinux/
https://github.com/vianney/arch-luks-suspend

They both use the same principle and can easily be modified for gentoo. A chroot is created outside of the root fs. LuksSuspend and then suspend are called from there. Unfortunately there are some problems with this solution.

Data on disk exists on disk but also in ram disk cache. Even if an attacker can't gain access to the disk he can still read all recently accessed files from ram. Using /proc/sys/vm/drop_caches is useless because the data is not overwritten. Something like sdmem would have to be used to overwrite ram but even so application might have sensitive data mapped into their address space. I see no way around that problem without using hibernate instead.

The guides just calls luksSuspend without freezing the userspace processes first. I guess some apps will get impatient when they don't get data right away and start throwing error messages. Part of the script interpreter in the chroot might get swapped out which is bad if luksSuspend is used on a swap device. Swap could be turned off but that usually takes a while to complete and the OOM killer might activate.

Is there any way to securely use suspend to ram and disk encryption? Encrypting all ram before suspend is not possible is it?
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2424
Location: Germany

PostPosted: Wed Sep 11, 2013 9:27 am    Post subject: Reply with quote

Oh well, that's interesting. Personally I still trust xautolock and root shells time out automatically, so I usually don't have any forgotten ones left open anywhere.

Would it really be that simple... will the open running processes be content to wait indefinitely for until years later I finally enter my passphrase again? Wow.

I'd have to duplicate my Initramfs for this as my setup involves several containers and keyfiles. Not sure if it's worth the bother really.

In case of a laptop, having to re-enter my passphrase all the time in all sorts of places is a security risk also, and probably the greater one (considering the total surveillance situation, i.e. people with smartphones everywhere).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum