• 𝒍𝒆𝒎𝒂𝒏𝒏
    link
    fedilink
    English
    2711 months ago

    Flash drive hidden under the carpet and connected via a USB extension, holding the decryption keys - threat model is a robber making off with the hard drives and gear, where the data just needs to be useless or inaccessible to others.

    There’s a script in the initramfs which looks for the flash drive, and passes the decryption key on it to cryptsetup, which then kicks off the rest of the boot mounting the filesystems underneath the luks

    I could technically remove the flash drive after boot as the system is on a UPS, but I like the ability to reboot remotely without too much hassle.

    What I’d like to do in future would be to implement something more robust with a hardware device requiring 2FA. I’m not familiar with low level hardware security at all though, so the current setup will do fine for the time being!

    • @[email protected]
      link
      fedilink
      English
      711 months ago

      I used to run a TFTP server on my router that held the decryption keys. As soon as a machine got far enough in the boot sequence to get network access, it would pull the decryption keys from the router. That way a thief would have to steal the router along with the computer, and have the router running when booting up the computer. It works wirelessly, too!

    • Adam
      link
      fedilink
      English
      411 months ago

      Flash drive hidden under the carpet and connected via a USB extension, holding the decryption keys - threat model is a robber making off with the hard drives and gear, where the data just needs to be useless or inaccessible to others.

      This is a pretty clever solution. Most thieves won’t follow a cable that for all intents looks like a network cable, especially if it disappears into a wall plate or something.

      • Max-P
        link
        fedilink
        English
        1211 months ago

        I don’t think most thieves care much about the data on the computer in the first place. Steal hardware, fresh install of Windows on it and straight to the pawn shop.

        • RBG
          link
          fedilink
          English
          211 months ago

          Agreed. Even just putting a non-Windows/Mac compatible file system on it may have the same effect. They cannot see files when they plug the drive into their PC or Mac, so they probably also just format it.

    • @MigratingtoLemmy
      link
      English
      211 months ago

      I’m curious; how would you do it for VMs with an encrypted virtual disk?

    • JustEnoughDucks
      link
      fedilink
      English
      111 months ago

      For my thief threat model, I just have the computer in an unassuming black Node304 in a utility room on a shelf lol. Security through obscurity is often as good for a smash and grab threat. They go for visually high value items.

      Entire boot partition with main drive keys on a removable hard drive with security keys for the data drives in an encrypted password manager. No way a theif is getting that data, even if I accidentally leave the boot drive in there out of laziness. That means that I am comfortable storing personal documents there also.

      It is indeed more of a hassle to reboot. USB plugged in -> decrypt and setup zpools script -> docker service restart. Specifically upgrading the kernel also because with the boot partition removed, all of the hooks don’t get processed. However, this also protests against the copyright gangster smash and grabs as a bonus. Probably an extreme edge case as that doesn’t happen anymore here in Belgium, but it was interesting to set up.