Full disk encryption including /boot, excluding bootloader?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Full disk encryption including /boot, excluding bootloader?

cipher-hearts

On Linux you can do the following:

Hard drive:
{ [1MB unencrypted GRUB bootloader partition] [Rest of hard drive entirely encrypted] }

Then the only parts of the (x64) computer that are unencrypted are the BIOS and GRUB.

You can then move the GRUB offline if you wish, execute it externally.


Is something like this possible on OpenBSD?

Reply | Threaded
Open this post in threaded view
|

Re: Full disk encryption including /boot, excluding bootloader?

Otto Moerbeek
On Thu, Feb 13, 2020 at 10:31:30AM +0000, [hidden email] wrote:

>
> On Linux you can do the following:
>
> Hard drive:
> { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive entirely encrypted] }
>
> Then the only parts of the (x64) computer that are unencrypted are the BIOS and GRUB.
>
> You can then move the GRUB offline if you wish, execute it externally.
>
>
> Is something like this possible on OpenBSD?
>

Yes, see FAQ: http://www.openbsd.org/faq/faq14.html#softraidFDE

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: Full disk encryption including /boot, excluding bootloader?

chohag
In reply to this post by cipher-hearts
[hidden email] writes:
>
> On Linux you can do the following:
>
> Hard drive:
> { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive entirely encrypted] }
>
> Then the only parts of the (x64) computer that are unencrypted are the BIOS and GRUB.

This is how it already does it with the exception that the unencrypted
data are not in a regular partition. Instead the unencrypted
bootloader exists within the space allocated for the disklabel (and
the MBR on x86) which then locates and decrypts the partition
containing the kernel.

> You can then move the GRUB offline if you wish, execute it externally.
>
>
> Is something like this possible on OpenBSD?

I have briefly looked into locating the unencrypted parts of OpenBSD's
bootloader on a seperate detachable disc, as I had managed to cobble
together previously, but the kernel is told where its root partition
is in quite a different way from Linux and I decided I didn't want
to trawl through x86 real mode assembly any more.

It can be done of course but you may have to hack at the bootloader
to make it work. I only did it with Linux to prove that I could not
because it was useful.

Matthew

Reply | Threaded
Open this post in threaded view
|

Re: Full disk encryption including /boot, excluding bootloader?

no@spam@mgedv.net
> > On Linux you can do the following:
> > { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive
entirely encrypted] }
... which i would consider to be as insecure, as unencrypted root at all.
maybe check out https://wiki.osdev.org, they have nice articles on this.
IMHO a secure boot chain is only possible using a secured, open source bios,
removing all firmware like IME and such.
in such a BIOS you'd save a checksum of the bootloader to NVRAM and refuse
booting if the checksum is incorrect.
altering fw/kernel/boot loader is a common attack vector and if the hardware
is not in a secured room, it's anyways attackable.
depends what you want to achieve, but my recommendation is booting from USB
and mount encrypted root from the HDD.
you can safely remove the usb key after root mount and all your configs/etc
files are used from the encrypted storage.
this ensures 2 things: bootloader + kernel on USB boot media cannot be
attacked during system uptime and all bytes on disk are encrypted.
another advantage is, you don't need (to type, write down or remember) any
passphrases but can use strong random data for crypto payload/keys.

Reply | Threaded
Open this post in threaded view
|

Re: Full disk encryption including /boot, excluding bootloader?

Sebastian Benoit
no@[hidden email]([hidden email]) on 2020.02.13 13:31:43 +0100:
> > > On Linux you can do the following:
> > > { [1MB unencrypted GRUB bootloader partition] [Rest of hard drive
> entirely encrypted] }
> ... which i would consider to be as insecure, as unencrypted root at all.

... which totaly depends on what you are trying to protect your laptop/data
from.

The lost/stolen laptop szenario is covered nicely by what OpenBSD offers.


Reply | Threaded
Open this post in threaded view
|

Re: Full disk encryption including /boot, excluding bootloader?

Frank Beuth
In reply to this post by no@spam@mgedv.net
On Thu, Feb 13, 2020 at 01:31:43PM +0100, no@[hidden email] wrote:
>depends what you want to achieve, but my recommendation is booting from USB
>and mount encrypted root from the HDD.
>you can safely remove the usb key after root mount and all your configs/etc
>files are used from the encrypted storage.
>this ensures 2 things: bootloader + kernel on USB boot media cannot be
>attacked during system uptime and all bytes on disk are encrypted.
>another advantage is, you don't need (to type, write down or remember) any
>passphrases but can use strong random data for crypto payload/keys.
>

How do you do this on OpenBSD?

Reply | Threaded
Open this post in threaded view
|

Re: Full disk encryption including /boot, excluding bootloader?

no@spam@mgedv.net
> >depends what you want to achieve, but my recommendation is booting from
> USB
> >and mount encrypted root from the HDD.
> >you can safely remove the usb key after root mount and all your
configs/etc
> >files are used from the encrypted storage.
> >this ensures 2 things: bootloader + kernel on USB boot media cannot be
> >attacked during system uptime and all bytes on disk are encrypted.
> >another advantage is, you don't need (to type, write down or remember)
any
> >passphrases but can use strong random data for crypto payload/keys.
> >
>
> How do you do this on OpenBSD?
@frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk