[Discuss] Server/laptop full-disk encryption

[me at mattgillen.net (Matthew Gillen)]

On 9/30/2014 2:20 AM, Rich Braun wrote:
> The thorny problems with doing this are making sure that
> 
> (a) the keys are convenient, readily accessible at every reboot
> (b) the keys can't readily fall into the wrong hands
> (c) infrequently-accessed filesystems aren't accessible except when needed
> (d) generated keys and pass-phrases have sufficient entropy
> (e) the keys and pass-phrases can survive *me* (e.g. by somehow keeping an
> up-to-date version in a bank safe-deposit box in case I get hit by the
> proverbial bus)
> 
> Most of the HOWTOs online seem to be utter crap.  Can someone point me to
> something that's readable yet sufficiently technical to serve as a decent
> launching point? I'm kinda thinking I'd like to have a local keyserver (on my
> LAN) protected by a passphrase, if it's possible to make the keys available
> via a local URL rather than a silly USB dongle that I have to carry around.


The FAQ:
> 2.14 Can I use LUKS or cryptsetup with a more secure (external)
> medium for key storage, e.g. TPM or a smartcard?
>
> Yes, see the answers on using a file-supplied key. You do have to
> write the glue-logic yourself though. Basically you can have
> cryptsetup read the key from STDIN and write it there with your own
> tool that in turn gets the key from the more secure key storage.

So to answer your last question, you can certainly do it, but it sounds
pretty DIY.  That FAQ made me look at using TPM to hold the keys:
https://github.com/shpedoikal/tpm-luks/blob/master/README
Not sure why you'd want to do that (besides TrustedGrub, which sounds
like a complicated way for me to lock myself out of my own machine).  My
cursory reading makes me think you can use TPM so that when using
external drives with a known machine it doesn't even ask for passphrase
(though I'm not sure if a TPM secret is basically the same thing as a
LUKS passphrase).
(related posts:
 http://www.saout.de/pipermail/dm-crypt/2012-November/002905.html
 http://resources.infosecinstitute.com/linux-tpm-encryption-initializing-and-using-the-tpm/
)

The fedora installer can encrypt everything but /boot for you really
easily.  A useful trick is that multiple volumes encrypted with the same
passphrase will only require you to enter the passphrase once (as
opposed to once per volume).

I've also used the instructions here:
https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#2._Setup
to encrypt external drives that I use for backup.  KDE/Gnome even ask
for the passphrase when you plug it in.

HTH,
Matt