[kwlug-disc] TrueCrypt Safer Than Previously Thought

B.S. bs27975 at yahoo.ca
Sun Nov 22 12:41:44 EST 2015


FDE = Full Disk Encryption

> encrypted /boot or not, if it's chain of custody is violated, you are boned.

To some extent.

But, at least, one has confidence that the data hasn't been compromised. As you note. No need to auto-knee jerk change every password you have. Except ... your ssh password to your home machine - which you did as soon as the laptop went missing, right?

I suppose one could put something in the process that provides a tell that it's yours. e.g. A fake boot entry. Don't see it, boot's been compromised.

Granted, to your point, for your scenario, they'd replace the encrypted partition, and do the least possible to change any appearance of boot.

Guess this goes back to putting a password in the bios, both config and to boot. Not asked for a password ... something's been messed with. Again, to your point, that it appears normal doesn't mean it still is.

In the end, I take your point - upon loss of sight of the beastie, when you get it back, consider it compromised. Boot a Live CD or something first, poke at it a bit to see if anything appears amiss.

Thanks for thinking this out out loud here. Seems encrypting /boot buys little, and an unencrypted boot can reduce some aggravation when stuff hits the fan.

What would one run to sanity check? I suppose a default option clamav run doesn't do it.


----- Original Message -----
> From: Jason Locklin <locklin.jason at gmail.com>
> To: KWLUG discussion <kwlug-disc at kwlug.org>
> Cc: 
> Sent: Sunday, November 22, 2015 9:22 AM
> Subject: Re: [kwlug-disc] TrueCrypt Safer Than Previously Thought
> 
> 
> 
> On 22/11/15 01:31 AM, B.S. wrote:
>>  Even then, it seems I've read that to help oneself out in problem 
> situations, one should use an unencrypted boot partition (that then mounts 
> encrypted partitions). 
> 
> The threat model that FDE is quite good for is a one-time stolen
> machine. There will be nothing of value in the /boot partition (well,
> they will be able to tell you use Linux and what kernel you were running).
> 
> The threat model that defeats FDE is when a machine is physically
> accessed by a malicious actor and returned to you. Here, yes, they would
> be able to modify your /boot partition, *however* encrypting /boot would
> gain you nothing on it's own anyway. Such an actor would image your
> encrypted drive before returning it too you and would simply need to
> fool you into entering your passphrase. They could simply wipe whatever
> encrypted system you have installed and install their own one that fools
> you into typing in your passphrase and broadcasts it. Even with a
> cryptographically signed bios and bootloader (Coreboot?), they could do
> this with a hardware key-logger.
> 
> So basically, FDE encryption works for stolen laptops, but, encrypted
> /boot or not, if it's chain of custody is violated, you are boned. It
> does force the (intelligent) thief to choose either stealing your
> hardware *or* your data.





More information about the kwlug-disc mailing list