What’s this about?
Perhaps as a normal user in your job, you deal with job applications, or patient data, or your new product idea, or your companies client list, or your new product designs from engineering which you show to select customers under an NDA. If your laptop were to get stolen, it might lead to (non exhaustive list)
- political embarrassment
- financial loss to your company
- identity theft issues for your customers
- legal fallout
- loss of your job
You might have a logon password to get into your operating system (Windows Desktop and similar) but this isn’t going to stop someone who can Google for a solution to resetting/rescuing a forgotten administrative/root password (or just mounting the drive on another system) who can then get in to take a look about at the user data
It doesn’t have to be theft either – if passing through certain national borders you might end up having an image of your hard drive taken. If we assume (for simplicity) that governments themselves are totally trustworthy we still have to assume that data will be held securely and only analysed for national security… but the data is being held by multiple people, you only need one parasitical (corrupt) employee to put your data at risk. An individuals motivations for your data might be looking for financial data such as credit card details stored in a file (don’t do this), or data that could be used to answer your password recovery information on banking sites.
I’m told I don’t use enough pictures, so this post will feature pictures of cats
What’s the solution?
A solution is disk encryption. This way if the laptop is stolen the confidential data stays encrypted. When the computer boots up you type in a password and that is fed into the process that allows the data on the hard drive to be read. For an attacker, removing the hard drive and putting it in another computer won’t work – without the decryption password as well as the drive you just have a lot of encrypted data.
What other solutions are there?
You could pay someone to constantly stand over your laptop and physically remove anyone that comes near. For border crossings a diplomatic status, armed guard and being from a large aggressive military orientated country would probably keep the data safe. It’s a bit expensive though and do you trust your guard? Maybe he’s a spy…
Ok, lets use disk encryption. Are there any problems with disk encryption?
I notice you didn’t say ‘full’… sometimes software will be used on the hard drive that first boots up a kernel from a small partition on the hard disk, then asks for the password and uses that to decrypt the second (much larger) encrypted partition. One problem with this approach is that I could work out what software you’re using, work out an attack in private, and then the next time your laptop is unattended I can modify that unencrypted partition to boot up a slightly altered kernel. With the right approach you won’t be able to trust your device any longer and the attacker will be able to use your system at will.
Ok, full disk encryption. No unencrypted stuff. Beat that.
So you’ve been given some full disk encryption product and is has a suitably massive number for how long in years it’s expected that all the worlds computers combined would take to decrypt your disk. There’s still some issues. The main one is social related.
When you go through some hostile border and they demand that you boot up your laptop, the first thing they will see is a password prompt. If you’re lucky you’ll just get a demand that you type it in. If you’re unlucky they’ll ask for the password so they can record it with the disk image. You can stamp your feet and refuse but things are only going downhill from here on – you might lose the laptop, be promptly deported or detained for national security reasons.
Or if you have financially valuable engineering data on your laptop, perhaps you’ll get the xkcd scenario, and beaten until you give out the password. How many fingers do you have?
Well this all sucks
OK wait. Imagine someone demands to see what’s on your laptop, it boots up into MS Windows, they see that you have a few (rather dull) mp3s, a browser history of some dull sites and not much else. They see you have a USB stick on you, they ask to see what’s on it. You plug it in and there’s just some more boring mp3s. They get bored and wave you off.
Later on in private you put the usb stick in to the same machine, reboot and up comes a different operating system, which asks for a disk encryption password, and then decrypts a different operating system from a hidden (to the casual eye) encrypted area of the hard drive.
That sounds fun
Yes, the problem is that despite whatever you know about computers you now need to sit though a bunch of graphical installers, trying to convince them to do something complicated when they’ve spent the past 10-15 years making the install process hide as much complexity as possible from the user.What you need is a technical blog written by someone who went through the pain for you.
Our success criteria:
- If untouched, the computer boots into [a sacrificial] MS Windows without any boot menus or similar having been shown during the bootup process
- If plugged in to a Windows based machine, the USB stick you carry will show as ‘normal’ (some mp3 files etc)
- If an image of the hard drive is taken, the data remains confidential
- Stealing the USB stick and computer is not sufficient enough to get access to the real data
- If the hard drive is tampered with (data altered) your data is either unaffected or the entire system is destroyed – you can trust the integrity of your device
There are limits to this but it’ll protect you in most scenarios. You have to upset some persistent people for it to come apart.
- Put windows on the laptop, then install Linux to a second partition, with the partition encrypted and the /boot partition on the second partition of the usb stick
- Carry a usb stick with you, on a keyring or similar. The first partition is fat/vfat which windows can read, the second partition is /boot for Linux. Grub bootloader is installed to the USB sticks Main Boot record.
- For extra security, you could use a hardware encrypted USB stick that has a built in keypad
- You must put the FAT (windows viewable) partition on the first partition of your USB stick
- You must put the bootloader onto the usb stick despite anything the installer does to try and persuade you not to
- The USB bus resets a lot of times in an install, causing issues if using a hardware encrypted usb stick as it will disconnect and demand the password and the install process might chose that moment to get upset and die because the drive didn’t return in time. Hence use a normal usb stick for the install, then ‘dd’ the image to your hardware encrypted usb stick later (and securely wipe the original after confirming the copy works).
- Don’t write a blog post about implementing it, otherwise they’ll know it’s there and you’re vulnerable to physical duress again
- Don’t use a uselessly weak password. There’s no point using 256 bit disk encryption if your password for unlocking it is ‘password’ (and no, ‘s3cur1ty’ isn’t a good password).
- Anyone who’s above average with computers will spot the secondary partitions if they investigate either the laptop or USB stick in a partition manager
- If you make backups of the drive in it’s encrypted form, don’t forget the password or you’ll be locked out forever
- If you make backups of the laptop when the drive is decrypted, then remember your data is vulnerable whereever the backup data is stored.
- It might be possible to social engineer you into using a keylogger device (“hey, that laptop keyboard looks small, want to use my spare USB desktop one?”)
- If you don’t keep your system patched and secure, you might just get it compromised when it’s turned on like any other machine
- If using a hardware encrypted USB device, note that various nation states might have required a backdoor from the manufacturer
- If the laptop is unattended, a well funded attacked might just lift out the laptop keyboard, but some form of small broadcasting hardware between the keyboard and keyboard connector and then refit it, then wait to sniff your keystrokes which decrypt the hard drive. That’s out of the realms of normal attackers but within reach of state-sponsored espionage.
 In all seriousness, this is a trade off. I like to share helpful information, my fleshy biological internal risk analysis thinks I’m low risk of (for instance) physical duress but I find it fun to work out how to do things like this.
 Forensic examination will have no problem determining that there’s partitions there, and if you’re involved in a court process you’ll probably be asked to give up your encryption keys. You can refuse which in the UK will get you 2-5 years in prison. The best way to avoid going to prison is to not break the law (not a perfect guarantee).
I’m using OpenSUSE 12.3 in this guide but the general principal is the same for pretty much all Linux distros.
Install MS Windows, but during installation don’t use the entire hard disk, instead leave some space (which will be used by Linux). E.g. you could split a 120G drive into 60G/60G.
Now we’ll install Linux. If you get it wrong and accidentally install grub (laypersons: a common bootloader used by linux) onto your main drive, do not panic. Boot up your windows install/repair disk and select the command prompt option, then type
this will remove the Linux bootloader and you can then try installing Linux again (and windows boot will return to normal).
So during the Linux installation, when it comes to partitioning your hard disk space, select the free space not used by windows and select to create a partition. In OpenSuse 12.3 I used the following steps
- click on free space
- select ‘add a partition’
- select ‘do not format’
- select ‘LVM partition type’
- select ‘encrypt device’.
- enter the password when prompted that you want to type in when the laptop tries to boot into Linux
It will not have created what’s probably (depending on the Linux distribution) an AES 256 encrypted drive. If you’ve an Atom processor there’s some suggestion that you may have faster disk access times if you’re able to select the Blowfish encryption method instead, but I don’t think this is possible in Opensuse (using a command prompt to look at the installers supported encryption types) and there may have been some improvements in implementation. If I was doing this on 250 corporate laptops and had the option in the distribution I was using then I’d probably do some benchmarking.
But currently it’s just a big encrypted space, we need something useful on it.
- Now go to LVM volume management, select to add a new volumegroup
- select the physical partition to add to the LVM physical group (use the one you encrypted)
- enter a name, then click on finish
- now add logical volumes (such as a swap, root and home area)
Some people might suggest not adding a swap partition – my advice would be that you might not need it but it’s going to be a nightmare to add it later on so add one now to play it safe.
It’s optional but you might want to change the mount options to add noatime (this means don’t record file access times, it’s not normally useful and slows everything down) and to remove support for extended file attributes (ACLs) if you won’t be using them.
I used ext4 as the file system as btrfs is a bit new and gave me some unexplained errors during one of the trial installs on the device I was using (I forget which distribution I was trying at the time – I tried a few while looking into the disk encryption) which made me nervous about the implementation – I like my filesystems to be error free since I want my data uncorrupted.
For removable media, selecting to format the second partition will format the first partition. You made a backup right? Right?
- Having partitioned the main drive, select the usb stick.
- Put a vfat partition at the start of the disk, then use the last space on the disk for the /boot partition (200MB-500MB) – you must get the order right (see following notes)
Important: you might be tempted to make the usb stick have a /boot partition at the start and a vfat partition for windows use in the remaining space. Don’t do this. If you do it this way around firstly windows will ask if you want to format the disk everytime the usb stick is plugged in, and secondly attempting to format the secondary vfat partition in MS Windows partition manager will cause it to format the first partition. So in short you won’t be able to use the usb device in Windows and you’ll fail the requirement of the USB stick appearing normal when plugged in.
This is due to Windows behavior with drives that have the Removable Media Bit (RMB) set (only one partition allowed, and some other behavioral changes), which is normally set in the USB device controller chip, and usually only alterable using a special program from the device manufacturer.
The Microsoft RMB policy decision maker
- click finish
- you’ll be asked to add a user, and then you’ll get the install summary screen. HALT! stop at the summary screen as there is something we need to do
Take a look at the Bootloader section very carefully on the install summary screen. Notice that the installer is going to install grub to the main hard disk (e.g. /dev/sda) but we want it on the usb stick, (e.g. /dev/sdb).
So if we click accept now it will be a disaster. If it goes on the hard drive then grub (bootloader menu) will be loaded on boot and it will get upset when the usb stick isn’t present and we won’t be able to boot windows either.
So to fix this
- click on Booting
- select ‘boot loader installation details’
- in the list of drives, move the secondary drive (usb stick) to be top of the list using the arrow buttons
I then used ‘boot loader options’ to set the active flag for the /boot partition but I think you only use that if you install grub to the boot partition itself, and I used the MBR instead. now proceed with the Linux install.
If you have a hardware encrypted usb stick and you followed my earlier advice and to installed to a normal usb stick, you can then image to your encrypted usb stick
# check the device names are right, then double check
# if = reading in file[system in this case], of = writing out file[system]
dd if=/dev/sdb of=/dev/sdc
Although an encrypted usb drive has better data integrity/confidentiality, a small usb stick might be better in use as it’s discrete and easier to carry on yourself at all times. Although I don’t like promoting security through obscurity, a smaller device also won’t look out of place, whereas having a (in comparison) gigantic usb encryption keypad sticking out of your laptop might perk interest. You can always take the stick out after boot of course (add the ‘nofail’ option to the /boot mount point fstab to make Linux cope with that situation better).
||If it fails…
|Laptop boots without USB stick
||Laptop bootsinto windows without and bootloader evident
||If grub loads you installed grub to the main drives MBR by mistake
|Laptop boots with USB stick
||Laptop loads grub boot loader and attempts to boot Linux
||If this fails you’ve probably made a mistake with grub
|Linux needs a drive decryption password to boot
||On boot, Linux halts and asks for a decryption password
||If it boots without a password then you forgot to create an encrypted drive
|USB stick appears normal in windows
||Plugging in the stick, it’s visible as a normal USB drive
||If it asks to format it, you’ve got the partitions the wrong way around – fat/vfat has to be the first partition
Congratulations, you made it through the wall of text. This second cat picture is your reward.
Some modern devices come with features such as the ability to encrypt the hard drive via (in simplified terms) the computers bios, which loads before the operating system. This means the attacker needs the password to decrypt the disk. The problem is that it’s very obvious as soon as the computer boots up that a password is needed (“please enter the password”), and depending on the circumstance whoever took the laptop from you might be physically aggressive.
So instead, don’t have Linux as the sole operating system. Have the device boot into MS Windows by default. You could still have a hardware implemented password required (a bios boot password), but under duress you can give it up and the attackers will boot the machine, which will yield the Windows system. In a similar fashion, we want our USB stick to appear boring and uninteresting. It should behave normally when plugged into a everyday computer.
Some people say that you only need to encrypt your /home partition in Linux – where your user files are. The problem with this is that you really want to ensure you can trust the integrity of the computer kernel before you type in your disk encryption passwords. If the kernel in /boot has been modified the attacker can get logs of everything you do in the operating system, they can open backdoors, they can operate invisibly as root.
So with the above described technique your /boot will be on a usb stick which you carry with you. Your data is on your laptop, and you can leave the laptop behind and still trust it on your return (within sane levels of paranoia – if you are a state funded secret agent, please consult your local security officer for further notes). You need to have a backup of your boot usb stick (otherwise it will be awkward to recover your system), and ideally that backup needs to be encrypted.
dd if=/dev/sdb of=my-bootdisk-backup.dd
xz --compress my-bootdisk-backup.dd
gpg -c my-bootdisk-backup.dd.xz
# now copy it somewhere safe/off your computer
So this isn’t a golden solution to every security problem, but it might help you setup one trusted device that you can always depend on.