Tuesday, April 24, 2007

booting from USB for security

Sune Vuorela asks about how to secure important data such as GPG keys on laptops.

I believe that the ideal solution involves booting from a USB device with an encrypted root filesystem to make subversion of the machine more difficult (note that physically subverting the machine is still possible - EG through monitoring the keyboard hardware).

The idea is that you boot from the USB device which contains the kernel, initrd, and the decryption key for the root filesystem. The advantage of having the key on a USB device is that it can be longer and more random than anything you might memorise.

In my previous posts about a good security design for an office, more about securing an office, and biometrics and passwords I covered some of the details of this.

My latest idea however is to have the root filesystem encrypted with both a password that is entered and by a password stored on the USB device. This means that someone who steals both my laptop and my USB key will still have some difficulty in getting at my data, but also someone who steals just the laptop will find that it is encrypted with a key that can not be brute-forced with any hardware that doesn't involve quantum-computing.

Also coincidentally also on Planet Debian in the same day Michael Prokop documents how to solve some of the problems relating to booting from a USB flash device.


Anonymous said...

The major problem with using USB drives for authentication is that they are trivially easy to copy which makes them unusable as authentication tokens.

Anonymous said...

Anonymous: you can use libpam-usb (about to be uploaded to Debian) which uses one time pads in the media. If you design an authentication method involving, say, pam-usb and pam_rsa, then we're getting somewhere.

Nice post! IMHO, 'cheap' security and authentication is one of Linux biggest strongholds, yet it lacks of insightful recommendations such as the ones provided when the topic arises in a blog.

Anonymous said...

So what you are asking about is available in Vista Ultimate and Enterprise (bitlocker) today. If the manufacturer includes the TMP chip on the motherboard, using strong security and a strong password the entire harddrive is encrypted and not accessible. This also includes using a USB key with the same triple DES levels of encryption with password to enable the harddrive to boot and become accessible.

José said...

Your entire proposition is prefixed by an "if..." -- in Linux you can't have "if's". Linux operation has to be predictable everywhere.

Anonymous said...

actually what I said was Vista supports two methods to provide secure hard drive encryption, depending on the manufacturer (which no OS vendor controls) the organisation has one of two choices in providing support that is built into the OS. One is an onboard chip the other USB. USB will work on every device, so is a guaranteed solution no matter where you purchase hardware. Therefore every windows Vista ultimate or enterprise user has this technology available no matter what hardware is used via USB support. This is not an IF this is a fact.