Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Storing secure boot keys securely
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sirlark
Guru
Guru


Joined: 25 Oct 2004
Posts: 321
Location: Limerick, Ireland
PostPosted: Sat Apr 26, 2025 1:42 pm    Post subject: Storing secure boot keys securely Reply with quote
Hi!

I'm setting up a laptop, and I'd like to get secure boot working. I'm following Sakaki's Guide loosely. I don't have an encrypted root partition though. I do have LUKS encrypted volumes for home directories, using systemd-home though. Anyway, I need somewhere safe to store my secure boot keys. I could just encrypt each file individually, but I was thinking of setting up a small encrypted volume to contain the key files. The problem is, doing this with LUKS using a file as the block device via loopback requires a large file. I've tried 32Mb, and cryptsetup says it isn't enough. I need to store maybe 1Mb of stuff. Are there any more space efficient ways of doing this?

Desired[/url] characteristics
* a file block device (so I don't have to re-partition)
* when not in use, the file block device is encrypted
* the file block device isn't excessively large
* accessing the encrypted volume requires entry of a password
* the file block device can contain multiple files, ideally mountable as a file system

I'm also open to the idea of an archive file that's encrypted, but I then need a way to avoid these keys being written to disk on an unencrypted partition.
_________________
Adopt an unanswered post today
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 55200
Location: 56N 3W
PostPosted: Sat Apr 26, 2025 3:21 pm    Post subject: Reply with quote
sirlark,

Two solutions come to mind.

As its a laptop, you may have a TPM, which is designed for this sort of thing.

Put your keys on a USB stick which is kept in your pocket except when needed.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
sirlark
Guru
Guru


Joined: 25 Oct 2004
Posts: 321
Location: Limerick, Ireland
PostPosted: Sat Apr 26, 2025 4:08 pm    Post subject: Reply with quote
Thanks! So dmesg says I have a TPM, but how do I use it?
_________________
Adopt an unanswered post today
Back to top
View user's profile Send private message
zen_desu
Apprentice
Apprentice


Joined: 25 Oct 2024
Posts: 249
PostPosted: Sat Apr 26, 2025 5:45 pm    Post subject: Reply with quote
That guide is quite out of date.

https://wiki.gentoo.org/wiki/Secure_Boot#Symmetrically_protected_keyfile_creation

This guide describes how to create GPG encrypted secure boot keys. You can also encrypt them using AES using openssl itself.

I prefer using GPG because it means I can protect the keys with my yubikey, and when I use them, I just make a named pipe and use that for key access: https://wiki.gentoo.org/wiki/Secure_Boot#Signing

If you wanted to do something similar with a TPM, you could seal the key using the TPM, using a method similar to this: https://wiki.gentoo.org/wiki/Trusted_Platform_Module#Seal_data
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy