Hi.
Right now I am using ParrotOS 4.5, and I was wondering about encrypting my linux partitions.
As I already have data there, I’ve read that you have to use LUKS which encrypts file in place.
But then I found this page: https://dx.eng.uiowa.edu/dave/luks.php, and he says that any encrypted partition loads it private key in RAM which can be found there. So if it is easy lookable with these: https://citp.princeton.edu/research/memory/code/, is it worth it?
If you use btrfs its not really applying here (@palinuro confirmation please) because it doesnt use random memory otherwise it would corrupt the disk.
I am using ext4 with swap
If you have 4g ram or more you should have no reason to pick ext4 over btrfs
So you mean ext4 is already encrypted with LUKS by default?
TL;DR:
you have no way to protect yourself from unencrypted headers leak from memory dumps, but do you really believe to be subject to such complex and expensive threat model? wouldn’t it be way easier to kidnap your wife or son and force you to give the password? wouldn’t it be way cheaper to put you in prison until you decrypt the disk for them?
NON TL;DR:
who are you?
who is your enemy?
who do you need to be defended from?
how much money can your opponents invest in cracking your data?
how valuable is your data to justify complex attack operations against you?
these are the questions you have to find an answer to if you have to protect yourself properly.
OPSEC (operational security) is quite a complex art designed to protect yourself from the ground up, and you have to find the best practices for your particular case.
personally speaking i believe that full disk encryption is a must and anyone should have it on its computer as a good starting point for the system security, as it makes impossible to boot the computer in live mode and bypass authentication systems.
yes, memory forensics can give an attacker access to the unencrypted key, and then read the whole disk in clear, but it is a very complex operation that can be performed only by having your computer turned on in the hands and being able to extract the memory units and reading them without destroying its content, which is a very hard thing to do.
cryptsetup, veracrypt and other cryptographic systems should have various countermeasures in place to mitigate such attacks, like trying to load the unencrypted headers in an as low memory region as possible to keep them in the processor cache instead of ram. i am not sure of this statement as i remembered someone mentioning it at some conference some years ago.
p.s.
what about laptops with soldered and undetachable memory units?
btrfs does not protect you from memory leaks. it is just an awesome CoW filesystem with very advanced features, but everything in linux (and in the IT world) is organized in stacks, and filesystems exist on a higher layer, while cryptsetup cryptography happens on a lower level, then a “virtual” unencrypted disk is shown to the system and a filesystem is created into it, with cryptsetup translating data from the virtual unencrypted device to the real encrypted one
if you use a swap partition, make sure to encrypt it, or stop using it, otherwise a lot of useful information from memory pages would be exposed unencrypted on swap, including very sensible information meant to be stored in a volatile memory, but storage partitions are not volatile at all.
For anyone looking for more reading material.
A paper on ‘cold boot’ attacks for extracting encryption keys: https://citp.princeton.edu/research/memory/
A more recent paper specifically targeting VeraCrypt/TrueCrypt (with a memory scrambler): https://www.eecs.umich.edu/eecs/about/articles/2017/HPCA17-coldboot.pdf
A paper on storing encryption keys in CPU registers: https://www.ideals.illinois.edu/bitstream/handle/2142/18862/amnesia.pdf
A backhat talk for those how dont like reading: https://www.youtube.com/watch?v=hp4DEmLbuLc
Wow. That’s very interesting, thanks!
So is there a way to install parrotOS with encrypted partition from a fresh install? Or you have to encrypt your partitions later? What do I have to do next?
Right now I have Parrot 4.5 with ext4 and swap partitions. Do I have to reinstall Parrot and reformat it to btrfs?
Encrypte During install is better for
Not get issue of break
I guess I will try in next days. Thank you guys!
you can’t encrypt a partition “later”, you have to do full disk encryptiod at install time
i use encrypted lvm everytime i install a linux on any of my devices.
If you choose encrypt disk during the parrot os installation in calamares, why does it show two identical disk drives in the dolphin file manager?
My approach to that issue is to tell people upfront not to say anything to me they don’t want getting out.
This way if I’m captured, I can throw my hands up & say “I’ll tell you everything I know!”