Is there any point in encrypting HDD?


(vladislav) #1

Hi.

Right now I am using ParrotOS 4.5, and I was wondering about encrypting my linux partitions.
As I already have data there, I’ve read that you have to use LUKS which encrypts file in place.

But then I found this page: https://dx.eng.uiowa.edu/dave/luks.php, and he says that any encrypted partition loads it private key in RAM which can be found there. So if it is easy lookable with these: https://citp.princeton.edu/research/memory/code/, is it worth it?


(Nico Paul) #2

If you use btrfs its not really applying here (@palinuro confirmation please) because it doesnt use random memory otherwise it would corrupt the disk.


(vladislav) #3

I am using ext4 with swap


(Nico Paul) #4

If you have 4g ram or more you should have no reason to pick ext4 over btrfs


#5

Professor Andersen is talking about dumping the phone’s RAM to file on an Android device to access your LUKS partition . . this is not the same as a LUKS partition in LVM on linux please see here for further information.

  • tl;dr if someone can dump your ram to file/ read your key in ram they can access everything already.

On the Btrfs note Parrot uses it by default (which it self is not encrypted) but the entire fs (ext4) sits as a LUKS encrypted partition with LVM.


(vladislav) #6

So you mean ext4 is already encrypted with LUKS by default?


#7

on Parrot if you encrypt with LVM at install it is an LUKS partition running the ext4 filesystem, inside that parrot runs unencrypted btrfs so you have the best of both (btrfs and LUKS full-disk encryption)


(Lorenzo "Palinuro" Faletra) #8

TL;DR:
you have no way to protect yourself from unencrypted headers leak from memory dumps, but do you really believe to be subject to such complex and expensive threat model? wouldn’t it be way easier to kidnap your wife or son and force you to give the password? wouldn’t it be way cheaper to put you in prison until you decrypt the disk for them?

NON TL;DR:

who are you?

who is your enemy?

who do you need to be defended from?

how much money can your opponents invest in cracking your data?

how valuable is your data to justify complex attack operations against you?

these are the questions you have to find an answer to if you have to protect yourself properly.

OPSEC (operational security) is quite a complex art designed to protect yourself from the ground up, and you have to find the best practices for your particular case.

personally speaking i believe that full disk encryption is a must and anyone should have it on its computer as a good starting point for the system security, as it makes impossible to boot the computer in live mode and bypass authentication systems.

yes, memory forensics can give an attacker access to the unencrypted key, and then read the whole disk in clear, but it is a very complex operation that can be performed only by having your computer turned on in the hands and being able to extract the memory units and reading them without destroying its content, which is a very hard thing to do.

cryptsetup, veracrypt and other cryptographic systems should have various countermeasures in place to mitigate such attacks, like trying to load the unencrypted headers in an as low memory region as possible to keep them in the processor cache instead of ram. i am not sure of this statement as i remembered someone mentioning it at some conference some years ago.
p.s.
what about laptops with soldered and undetachable memory units?

btrfs does not protect you from memory leaks. it is just an awesome CoW filesystem with very advanced features, but everything in linux (and in the IT world) is organized in stacks, and filesystems exist on a higher layer, while cryptsetup cryptography happens on a lower level, then a “virtual” unencrypted disk is shown to the system and a filesystem is created into it, with cryptsetup translating data from the virtual unencrypted device to the real encrypted one

if you use a swap partition, make sure to encrypt it, or stop using it, otherwise a lot of useful information from memory pages would be exposed unencrypted on swap, including very sensible information meant to be stored in a volatile memory, but storage partitions are not volatile at all.


(Lorenzo "Palinuro" Faletra) #9

security


(Matt) #10

For anyone looking for more reading material.

A paper on ‘cold boot’ attacks for extracting encryption keys: https://citp.princeton.edu/research/memory/

A more recent paper specifically targeting VeraCrypt/TrueCrypt (with a memory scrambler): https://www.eecs.umich.edu/eecs/about/articles/2017/HPCA17-coldboot.pdf

A paper on storing encryption keys in CPU registers: https://www.ideals.illinois.edu/bitstream/handle/2142/18862/amnesia.pdf

A backhat talk for those how dont like reading: https://www.youtube.com/watch?v=hp4DEmLbuLc


(vladislav) #11

Wow. That’s very interesting, thanks!:smile:

So is there a way to install parrotOS with encrypted partition from a fresh install? Or you have to encrypt your partitions later? What do I have to do next?

Right now I have Parrot 4.5 with ext4 and swap partitions. Do I have to reinstall Parrot and reformat it to btrfs?


(Amzker Pro Hacker) #12

Encrypte During install is better for
Not get issue of break


(vladislav) #13

I guess I will try in next days. Thank you guys!


#14

when you install fresh, it will ask you if you want to use LVM and encrypt or not. This is where you would start full disk encryption.


(Lorenzo "Palinuro" Faletra) #15

you can’t encrypt a partition “later”, you have to do full disk encryptiod at install time