[SOLVED] Can I use external boot and OTP with Luks in Mint?

[fernandocabral]

I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.
As I see it, security could be stongrer if I could encrypt the whole drive and boot from a pen-drive. It would be still stronger
if during boot I had do provide a OTP.

If this possible out of the box?

Thank you.

- fernando

[fabien85]

I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.

Is this "not" a typo ?
Because if you just upgrade your current Mint (say 19.2) with the standard upgrade path (when it will be released), you cannot change the encryption.

Regarding having your boot partition on a separate drive, e.g. a USB stick, yes it can be done with the installer. You will need to wander in the "something else" path.
For a one-time password (I assumed that's what OTP means), it cannot be done out of the box with the installer. I don't know if it's feasible at all. But anyway you can define a passphrase that you just use for the encryption and nothing else.

[xenopeek]

Not out of the box but it's possible. YubiKey is probably best supported. Aside from other YubiKey packages you'll need yubikey-luks specifically to add OTP to the LUKS prompt (either in addition to passphrase or instead of passphrase). Any guide for Ubuntu 18.04 should work for Linux Mint 19.x. Arch Linux have a guide for setting it up which you can use as hints: https://wiki.archlinux.org/index.php/Yu ... ition/disk.

The installer will set up, if you select disk encryption, an encryption LUKS partition with LVM and encrypted swap. It will not encrypt the boot partition. You can also encrypt the boot partition, at least Arch Linux wiki has information on that though I don't immediately know how to apply it to Linux Mint. It's quite involved and has some pitfalls. Anyway, you can add OTP after installation. I'd try this out first on a spare or virtual machine and not risk your main installation unless you're happy to reinstall if/when you bork it.

For me personally what the installer does is enough. The system is unusable and personal files are inaccessible without the passphrase.

[fernandocabral]

I will not do a clean install of Mint 19.3 so I thought it could be a good occasion to have better security.

Is this "not" a typo ?
Sure it is a typo. Sorry for that. I meant to say "I will do a clean install..."

[fernandocabral]

The installer will set up, if you select disk encryption, an encryption LUKS partition with LVM and encrypted swap. It will not encrypt the boot partition. You can also encrypt the boot partition, at least Arch Linux wiki has information on that though I don't immediately know how to apply it to Linux Mint. It's quite involved and has some pitfalls. Anyway, you can add OTP after installation. I'd try this out first on a spare or virtual machine and not risk your main installation unless you're happy to reinstall if/when you bork it.

For me personally what the installer does is enough. The system is unusable and personal files are inaccessible without the passphrase.

The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back. In this case, when I boot it up, the injected code will be able to get my password, save it somewhere or perhaps send it by e-mail or some other protocol. In this case, a hacker would have full access to my disk once he or she grabs the notebook a second time.

That's why I think encrypting the whole disk (as I do) is not enough if you let the boot partition unencrypted. If I could boot from a pen-drive instead, this risk would be averted.

[xenopeek]

The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back.

That would be a very skilled person. Not the average "I just downloaded pentest software and now I'm a 1337 h4x0r" laptop snatching hoodlum. There are other ways to obtain your passphrase without you knowing that are not OS specific. This is security theater. I mean, if your files are that interesting your employer would arrange for bodyguards and a laptop case shackled to your wrist If your laptop gets stolen it will be just for the value of the laptop itself.

Okay, beyond encrypting the entire disk you have some other options. See this section in the Arch Linux wiki: https://wiki.archlinux.org/index.php/Dm ... _partition. You could put /boot and GRUB on a removable device. You could use chkboot to be notified your /boot partition was tampered with. And a few more.

[Pippin]

Tinfoil hat theater that is... What's wrong with people?

[fernandocabral]

The risk (rare) I am trying to avert is having someone grabbing my notebook, injecting a new boot piece of code onto the boot partition and put the machine back.

That would be a very skilled person. Not the average "I just downloaded pentest software and now I'm a 1337 h4x0r" laptop snatching hoodlum. There are other ways to obtain your passphrase without you knowing that are not OS specific.

True enough.

Okay, beyond encrypting the entire disk you have some other options. See this section in the Arch Linux wiki: https://wiki.archlinux.org/index.php/Dm ... _partition.

Yep! This seems to be what I am after. Thank you.
I will certainly pursue those possibilities discussed in the post you've pointed to.

[pbear]

Another option for encrypting boot is this tutorial by linux22. Never used myself (I don't even use system encryption, though I do use Veracrypt for some files), so I can't vouch for it. I merely point it out.

[fernandocabral]

Another option for encrypting boot is this tutorial by linux22. Never used myself (I don't even use system encryption, though I do use Veracrypt for some files), so I can't vouch for it. I merely point it out.

Thank you. I'll track it down (a lot of things to read and learn).
I'll have this thread as solved because I think now I have to spend sometime trying to apply what I have learned.

Regards

- fernando