You may already know that a number of modern linux distros offer you to install the distribution onto your HDD with encryption enabled. This means that your HDD will likely be formatted to have two partitions - an unencrypted /boot partition where the kernel image and the boot data reside, and another fully encrypted partition where the rest of the data lies. And of course, you need a passphrase to decrypt the root partition and use it. The setup is likely done with LUKS to encrypt/decrypt the root partition and the LVM to further divide the space into virtual partitions. I won't go into technical details about this setup, but I'm sure you get the brief picture.

Now I keep asking myself how secure this approach really is when an attacker has physical access to the machine (suppose an attacker wants to access certain classified corporation data stored on a computer in your office). It doesn't take a rocket scientist to figure out that the unencrypted /boot partition is suceptible to attack. An attacker could replace some files with a malicious keylogger that logs down the passphrase after the user enters it and saves it somewhere on /boot for later retreival.

I'm generally a bit paranoid person and I'd like to hear your opinions/views on this topic eg. how to detect when the /boot data has been modified, good security practices at protecting data, etc.

Regards,
Ol

Yes, but even with full disk encryption, if an attacker has physical access, they could install a device inside the machine that could record information when the the drive is unlocked and transmit it wirelessly.

This has been done with credit card readers.

If you loose control of your computer (such as for servicing), since the /boot partition is small, you can create an md5sum (or other hash function) list of the files in /boot and compare it with a list saved in the encrypted partition with a backup saved to an immutable source such as a cdrom.

One thing that can make things more difficult for the attacker is that while the kernel & initrd are in /boot, the kernel modules are in /lib/modules/$(uname -r)/ and are encrypted.

Another option is to boot from a removable device such as a pendrive (or ironkey). If the /boot partition is on an iron key, you can secure it in a safe. ( This can be more secure for you personally but not for your organization, if users can take their /boot partitions with them easily )

Another option that might be used is to use a removable hard drive, and to lock the drive in a safe when it isn't in use.

Another option is to boot up from a PXE server. Your hard drive can't become compromised if there isn't one. You still could be compromised if a physical keyboard logger is used.

----

You are focusing on a situation where someone can get around physical security. Don't forget that when the computer is being used, the contents of the encrypted filesystems may be accessible via the network. It is more likely that an attacker can access the data via the network while it is being used, than defeating physical security and employing exotic methods.

You can also use a cold boot attack if the computer has been on or is currently on. See here: http://en.wikipedia.org/wiki/Cold_boot_attack. Princeton University has released all the tools necessary. I actually wanted to try it on my machine to see how easy it is and how secure encryption is. As long as you take precautions against these kinds of attacks (never leave the machine on when your way, stay with it for about 5 minutes after you shut it down). There also might be some way to secure your RAM. Anybody know about that?

There are also ways to put your boot partition on a USB stick. I would like to set that up, but I have only found tutorials for Gentoo (I use Arch).

How would one detect such devices? That would technically require the attacker to disassemble the computer, install the device and reassemble it. If we can lock the case or maybe put some sticker on the panel, we could easily see the box was opened as the sticker would be damaged. I'm not sure what kind of devices these are, but I've heard of the hardware keyloggers that you put between the keyboard and the computer. These will then log down anything a user types, but are easily spotted, should you look at the back of your box. I'm not sure about laptops since they offer very little room to install arbitrary devices inside. Also, the fact that you mentioned such information can be transmitted wirelessly scares me a bit. I don't suppose you had a wifi card in mind here...

Yes, this was my initial idea, but I would also hash the entire partition rather than just the files to see if anything was changed at all. If I choose this approach, is there any practical way to have the partition checked automatically each time a computer boots? I am not sure whether it is a good idea to enter the password and *then* have the /boot partition checked by some script located on the encrypted space. Likewise, it's impossible to know that the script hasn't been modified too, should it be located on the unencrypted /boot partition to allow verifying the integrity prior actually entering the pass phrase.

This is probably the best solution I've heard of so far.

Plausible scenario.

I was primarily interested in security practices against physical access tho network access is a chapter of its own. Staying up with the latest updates and following standard linux security practices makes it more difficult for the attacker tho I'm sure you can easily notice an attack by running an intrusion detection system on your network, possibly the box itself. My worries are on physical access right now. Last year we've had an incident where a computer with some sensitive data was stolen directly from an office. The burglars seem to have gained access to the building via an open window in the toilet room that someone forgot to close.

You definitely want to boot from removable media as a first step. This allows you to have the entire disk encrypted. You're gonna have to address your physical access issues, though. I don't know what kind of burglars you're dealing with, but if they are determined enough (such as would be the case if they are your business competitor) they could cold boot attack you to get the key. There's some scripts floating around which will overwrite memory if a proper shutdown is done, so that can help with that (you're still vulnerable if the power is suddenly cut). But as has been said, with physical access you're at risk for having your key stolen via many other physical means too.

I've always want to set up booting from a USB. Do you know of any howtos or tutorials? Is it as simple as copying your boot partition to a USB and modifying your grub? The gentoo wiki article I saw set up a mini OS on the USB and other crazyness...

Also, do you know of any memory wiping utilities?

If you mean "with the objective of having whole-disk encryption", check this one out.

No (surely someone else does, though), but slimm609 posted a script here which might work (haven't tested it).

I am not so sure about the cold boot attack. It was definitely the top news for me when it first came out, but how long does a passphrase really reside in the RAM after the computer has been powered off? I mean... the employees don't suddenly just disappear from offices, leaving the entire building empty. Some tend to stay around longer and there's also the janitor who is the last one to go. We believe that the burglary I mentioned happened at night. I'm guessing there won't be much left to cold-boot since the box was powered off 4 to 8 hours ago.

According to the Princeton CITP's FAQ, most systems will be okay after a few minutes. They do point out, however, that there are exceptions. Bottom line is that you'll need to check for yourself if you want to make sure.

There was a case where a large number of credit card readers were found to have sophisticated wireless bugging devices installed on them. They came from China and this was an organized effort with the devices installed enroute or more likely by factory employees. It was found accidentally when a security guard noticed a buzzing in his radio when he walked by the device. He walked by a just the right time. The only way to detect if your reader was compromised without busting open the case and disassembling it was to carefully weigh it. Someone would periodically part outside the building and download the credit card data wirelessly. AFAIK, it wasn't an always on device. It also was a lot smaller than a wireless card or a laptop wireless device.

If you send your computer in for service, or a cleaning person has access to it at night, they could install a physical keylogger, or I imagine replace the wireless outlet with one with a wireless tap.

My point about producing a hash of files on the /boot directory is that being unencrypted, the files could be easily replaced. The other filesystems are encrypted. Producing a file/hash list of all of the files is a common technique for servers. You could also run rkhunter just after installing. It will produce hashes many files and then use that hash list when it runs the next time. I don't know if you can incorporate a file check into the boot process. You could create a script to check them later. If the script is in the encrypted part, it should be secret. It could be a pain in the behind keeping a list current after legitimate updates.

Most distro's will have a package to log changed files and permissions. Check the root users email, because you may already have something running that does it and not know it.

---
[/quote]How would one detect such devices?[/quote]
One way is to use a sniffer that sniffs for wireless frequencies (including frequencies used in europe). This may find a normal wireless router or pendrive sized device using standard technology.

There are some buildings that don't have any windows, and are enclosed in a Faraday cage. A grounded metal mesh incorporated in the construction prevents the transmission of signals.

According to a slashdot weekly podcast article, a Japanese company started selling a paint that contains certain metals that are supposed to interfere with wireless signals. They simply added iron particles and other metals to normal paint.

---

If you can't physically secure your computer at work, then in the least use a grub boot password. You can configure it so that you can boot normally, but need to enter a password to select a non-default option.

---

Another thing to consider is password protecting your bios after disabling CD and USB booting. Now you can't use an iron key to boot, but for many companies, pendrives are a no-no.

---

Your mention of using a sticker reminded me how during WWII, English ladies in the Caribbean would steam open all letters leaving the US. The US fell so behind in intelligence that we had to allow the "Baker Street Boys" to operate freely in the US.

Actually if I had physical access to your box for say 3 days, I would just a macro programmable keyboard and a rainbow table to break your pass phrase....

One other thing people say rainbow tables are to big to fit on a pen drive to use with such a keyboard, the other day some one brought me a pen drive
that uses those small sd-ram cards used in cameras and was boasting that it could hold up to 50 gigs with the right chip. Thats big enough unless you have some ungodly passphrase such as something like []';-99e/rmas09df=--=w-er0a9sldf48/*=-31\';§asdf¥∟ÆSadfwaf

That won't work if you don't have my key

win32sux, thats a pretty good article. Do you know of any that are less PPC specific?

No, sorry.

Believe it or not, that's the kind of passphrase I like to use (without the special characters). The problem with these is that they're extremely difficult to memorize. I personally don't have much trouble memorizing them, but other people are not so lucky.

I found an easy way to remember long passwords. Suppose you have a sentence that is well known to you and goes like "This good woman had a little red riding hood made for her. It suited the girl so extremely well that everybody called her Little Red Riding Hood.". Now take the initials of ever word in that sentence and combine them to form a password such as "tGwHaLrRhMfH$/'[;IsTgSeWtEcHlRrH3192". Not the best one to remember, but you get the image.

that's almost exactly what I do, with a small twist.
I normally use two different passwords one that I can memorize easy like 99gsmkd083 I have a 99 gs eclipse and I used to play mortal kombat deadly alliance and I was born in 83. I like to use stuff in the room I am in to formulate passwords, if by some some chance i Forget it I have some what of a way to try to figure it back out.

then I use something like rcfp18vc!@984lfmv. I would write this down on a sticky note and leave it in my wallet. After using it a million times it becomes second nature.



just fyi these are not passwords I currently use, but use to use.