[SOLVED] Can I use external boot and OTP with Luks in Mint?

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
Post Reply
fernandocabral
Level 2
Level 2
Posts: 56
Joined: Wed Jun 04, 2014 6:15 am

[SOLVED] Can I use external boot and OTP with Luks in Mint?

Post by fernandocabral »

I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.
As I see it, security could be stongrer if I could encrypt the whole drive and boot from a pen-drive. It would be still stronger
if during boot I had do provide a OTP.

If this possible out of the box?

Thank you.

- fernando
Last edited by fernandocabral on Fri Dec 13, 2019 7:05 pm, edited 1 time in total.
fabien85
Level 7
Level 7
Posts: 1810
Joined: Tue Mar 11, 2014 4:30 pm

Re: Can I use external boot and OTP with Luks in Mint?

Post by fabien85 »

fernandocabral wrote:
Thu Dec 12, 2019 3:00 pm
I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.
Is this "not" a typo ?
Because if you just upgrade your current Mint (say 19.2) with the standard upgrade path (when it will be released), you cannot change the encryption.

Regarding having your boot partition on a separate drive, e.g. a USB stick, yes it can be done with the installer. You will need to wander in the "something else" path.
For a one-time password (I assumed that's what OTP means), it cannot be done out of the box with the installer. I don't know if it's feasible at all. But anyway you can define a passphrase that you just use for the encryption and nothing else.
User avatar
xenopeek
Level 24
Level 24
Posts: 24973
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Can I use external boot and OTP with Luks in Mint?

Post by xenopeek »

Not out of the box but it's possible. YubiKey is probably best supported. Aside from other YubiKey packages you'll need yubikey-luks specifically to add OTP to the LUKS prompt (either in addition to passphrase or instead of passphrase). Any guide for Ubuntu 18.04 should work for Linux Mint 19.x. Arch Linux have a guide for setting it up which you can use as hints: https://wiki.archlinux.org/index.php/Yu ... ition/disk.

The installer will set up, if you select disk encryption, an encryption LUKS partition with LVM and encrypted swap. It will not encrypt the boot partition. You can also encrypt the boot partition, at least Arch Linux wiki has information on that though I don't immediately know how to apply it to Linux Mint. It's quite involved and has some pitfalls. Anyway, you can add OTP after installation. I'd try this out first on a spare or virtual machine and not risk your main installation unless you're happy to reinstall if/when you bork it.

For me personally what the installer does is enough. The system is unusable and personal files are inaccessible without the passphrase.
Image
fernandocabral
Level 2
Level 2
Posts: 56
Joined: Wed Jun 04, 2014 6:15 am

Re: Can I use external boot and OTP with Luks in Mint?

Post by fernandocabral »

fabien85 wrote:
Thu Dec 12, 2019 4:12 pm
fernandocabral wrote:
Thu Dec 12, 2019 3:00 pm
I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.
Is this "not" a typo ?
Sure it is a typo. Sorry for that. I meant to say "I will do a clean install..."
fernandocabral
Level 2
Level 2
Posts: 56
Joined: Wed Jun 04, 2014 6:15 am

Re: Can I use external boot and OTP with Luks in Mint?

Post by fernandocabral »

xenopeek wrote:
Thu Dec 12, 2019 4:13 pm
The installer will set up, if you select disk encryption, an encryption LUKS partition with LVM and encrypted swap. It will not encrypt the boot partition. You can also encrypt the boot partition, at least Arch Linux wiki has information on that though I don't immediately know how to apply it to Linux Mint. It's quite involved and has some pitfalls. Anyway, you can add OTP after installation. I'd try this out first on a spare or virtual machine and not risk your main installation unless you're happy to reinstall if/when you bork it.

For me personally what the installer does is enough. The system is unusable and personal files are inaccessible without the passphrase.
The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back. In this case, when I boot it up, the injected code will be able to get my password, save it somewhere or perhaps send it by e-mail or some other protocol. In this case, a hacker would have full access to my disk once he or she grabs the notebook a second time.

That's why I think encrypting the whole disk (as I do) is not enough if you let the boot partition unencrypted. If I could boot from a pen-drive instead, this risk would be averted.
User avatar
xenopeek
Level 24
Level 24
Posts: 24973
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Can I use external boot and OTP with Luks in Mint?

Post by xenopeek »

fernandocabral wrote:
Thu Dec 12, 2019 6:16 pm
The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back.
That would be a very skilled person. Not the average "I just downloaded pentest software and now I'm a 1337 h4x0r" laptop snatching hoodlum. There are other ways to obtain your passphrase without you knowing that are not OS specific. This is security theater. I mean, if your files are that interesting your employer would arrange for bodyguards and a laptop case shackled to your wrist :) If your laptop gets stolen it will be just for the value of the laptop itself.

Okay, beyond encrypting the entire disk you have some other options. See this section in the Arch Linux wiki: https://wiki.archlinux.org/index.php/Dm ... _partition. You could put /boot and GRUB on a removable device. You could use chkboot to be notified your /boot partition was tampered with. And a few more.
Image
Pippin
Level 4
Level 4
Posts: 405
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: Can I use external boot and OTP with Luks in Mint?

Post by Pippin »

Tinfoil hat theater that is... What's wrong with people?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
fernandocabral
Level 2
Level 2
Posts: 56
Joined: Wed Jun 04, 2014 6:15 am

Re: Can I use external boot and OTP with Luks in Mint?

Post by fernandocabral »

xenopeek wrote:
Fri Dec 13, 2019 6:19 am
fernandocabral wrote:
Thu Dec 12, 2019 6:16 pm
The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back.
That would be a very skilled person. Not the average "I just downloaded pentest software and now I'm a 1337 h4x0r" laptop snatching hoodlum. There are other ways to obtain your passphrase without you knowing that are not OS specific.
True enough.
xenopeek wrote:
Fri Dec 13, 2019 6:19 am
Okay, beyond encrypting the entire disk you have some other options. See this section in the Arch Linux wiki: https://wiki.archlinux.org/index.php/Dm ... _partition.
Yep! This seems to be what I am after. Thank you.
I will certainly pursue those possibilities discussed in the post you've pointed to.
pbear
Level 15
Level 15
Posts: 5664
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Can I use external boot and OTP with Luks in Mint?

Post by pbear »

Another option for encrypting boot is this tutorial by linux22. Never used myself (I don't even use system encryption, though I do use Veracrypt for some files), so I can't vouch for it. I merely point it out.
fernandocabral
Level 2
Level 2
Posts: 56
Joined: Wed Jun 04, 2014 6:15 am

Re: Can I use external boot and OTP with Luks in Mint?

Post by fernandocabral »

pbear wrote:
Fri Dec 13, 2019 2:03 pm
Another option for encrypting boot is this tutorial by linux22. Never used myself (I don't even use system encryption, though I do use Veracrypt for some files), so I can't vouch for it. I merely point it out.
Thank you. I'll track it down (a lot of things to read and learn).
I'll have this thread as solved because I think now I have to spend sometime trying to apply what I have learned.

Regards

- fernando
Post Reply

Return to “Installation & Boot”