Page 1 of 1

[SOLVED] Can I use external boot and OTP with Luks in Mint?

Posted: Thu Dec 12, 2019 3:00 pm
by fernandocabral
I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.
As I see it, security could be stongrer if I could encrypt the whole drive and boot from a pen-drive. It would be still stronger
if during boot I had do provide a OTP.

If this possible out of the box?

Thank you.

- fernando

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Thu Dec 12, 2019 4:12 pm
by fabien85
fernandocabral wrote:
Thu Dec 12, 2019 3:00 pm
I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.
Is this "not" a typo ?
Because if you just upgrade your current Mint (say 19.2) with the standard upgrade path (when it will be released), you cannot change the encryption.

Regarding having your boot partition on a separate drive, e.g. a USB stick, yes it can be done with the installer. You will need to wander in the "something else" path.
For a one-time password (I assumed that's what OTP means), it cannot be done out of the box with the installer. I don't know if it's feasible at all. But anyway you can define a passphrase that you just use for the encryption and nothing else.

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Thu Dec 12, 2019 4:13 pm
by xenopeek
Not out of the box but it's possible. YubiKey is probably best supported. Aside from other YubiKey packages you'll need yubikey-luks specifically to add OTP to the LUKS prompt (either in addition to passphrase or instead of passphrase). Any guide for Ubuntu 18.04 should work for Linux Mint 19.x. Arch Linux have a guide for setting it up which you can use as hints: https://wiki.archlinux.org/index.php/Yu ... ition/disk.

The installer will set up, if you select disk encryption, an encryption LUKS partition with LVM and encrypted swap. It will not encrypt the boot partition. You can also encrypt the boot partition, at least Arch Linux wiki has information on that though I don't immediately know how to apply it to Linux Mint. It's quite involved and has some pitfalls. Anyway, you can add OTP after installation. I'd try this out first on a spare or virtual machine and not risk your main installation unless you're happy to reinstall if/when you bork it.

For me personally what the installer does is enough. The system is unusable and personal files are inaccessible without the passphrase.

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Thu Dec 12, 2019 6:09 pm
by fernandocabral
fabien85 wrote:
Thu Dec 12, 2019 4:12 pm
fernandocabral wrote:
Thu Dec 12, 2019 3:00 pm
I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.
Is this "not" a typo ?
Sure it is a typo. Sorry for that. I meant to say "I will do a clean install..."

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Thu Dec 12, 2019 6:16 pm
by fernandocabral
xenopeek wrote:
Thu Dec 12, 2019 4:13 pm
The installer will set up, if you select disk encryption, an encryption LUKS partition with LVM and encrypted swap. It will not encrypt the boot partition. You can also encrypt the boot partition, at least Arch Linux wiki has information on that though I don't immediately know how to apply it to Linux Mint. It's quite involved and has some pitfalls. Anyway, you can add OTP after installation. I'd try this out first on a spare or virtual machine and not risk your main installation unless you're happy to reinstall if/when you bork it.

For me personally what the installer does is enough. The system is unusable and personal files are inaccessible without the passphrase.
The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back. In this case, when I boot it up, the injected code will be able to get my password, save it somewhere or perhaps send it by e-mail or some other protocol. In this case, a hacker would have full access to my disk once he or she grabs the notebook a second time.

That's why I think encrypting the whole disk (as I do) is not enough if you let the boot partition unencrypted. If I could boot from a pen-drive instead, this risk would be averted.

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Fri Dec 13, 2019 6:19 am
by xenopeek
fernandocabral wrote:
Thu Dec 12, 2019 6:16 pm
The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back.
That would be a very skilled person. Not the average "I just downloaded pentest software and now I'm a 1337 h4x0r" laptop snatching hoodlum. There are other ways to obtain your passphrase without you knowing that are not OS specific. This is security theater. I mean, if your files are that interesting your employer would arrange for bodyguards and a laptop case shackled to your wrist :) If your laptop gets stolen it will be just for the value of the laptop itself.

Okay, beyond encrypting the entire disk you have some other options. See this section in the Arch Linux wiki: https://wiki.archlinux.org/index.php/Dm ... _partition. You could put /boot and GRUB on a removable device. You could use chkboot to be notified your /boot partition was tampered with. And a few more.

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Fri Dec 13, 2019 7:48 am
by Pippin
Tinfoil hat theater that is... What's wrong with people?

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Fri Dec 13, 2019 7:59 am
by fernandocabral
xenopeek wrote:
Fri Dec 13, 2019 6:19 am
fernandocabral wrote:
Thu Dec 12, 2019 6:16 pm
The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back.
That would be a very skilled person. Not the average "I just downloaded pentest software and now I'm a 1337 h4x0r" laptop snatching hoodlum. There are other ways to obtain your passphrase without you knowing that are not OS specific.
True enough.
xenopeek wrote:
Fri Dec 13, 2019 6:19 am
Okay, beyond encrypting the entire disk you have some other options. See this section in the Arch Linux wiki: https://wiki.archlinux.org/index.php/Dm ... _partition.
Yep! This seems to be what I am after. Thank you.
I will certainly pursue those possibilities discussed in the post you've pointed to.

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Fri Dec 13, 2019 2:03 pm
by pbear
Another option for encrypting boot is this tutorial by linux22. Never used myself (I don't even use system encryption, though I do use Veracrypt for some files), so I can't vouch for it. I merely point it out.

Re: Can I use external boot and OTP with Luks in Mint?

Posted: Fri Dec 13, 2019 7:03 pm
by fernandocabral
pbear wrote:
Fri Dec 13, 2019 2:03 pm
Another option for encrypting boot is this tutorial by linux22. Never used myself (I don't even use system encryption, though I do use Veracrypt for some files), so I can't vouch for it. I merely point it out.
Thank you. I'll track it down (a lot of things to read and learn).
I'll have this thread as solved because I think now I have to spend sometime trying to apply what I have learned.

Regards

- fernando