Minutes 2025-01-23

From MTU LUG Wiki
Jump to navigation Jump to search

LUKS and Disk Encryption

By: Noah Holland

Brief overview on disk Encryption

Symmetric vs Asymmetric

Full-Disk Encryption

  • There is Bitlocker for Windows and LUKS for Linux #### Filesystem-level Encryption
  • APFS
  • FSCrypt(ext4 (added recently), F2FS, CephFS, etc..)
  • ZFS Not recommended for personal use

Pros and cons of each approach

Issues with FDE

  • Not east with multiple users
    • either decrypt the disk with a shared password or TPM
  • Data recovery can be a pain in the ass
  • Chicken-and-egg problem

Issues with FS-level Encryption

  • Metadata leakage
    • NSA Director: “We Kill people based on Metadata”
  • Evil maid attacks Requires FS to support it
    • more moving parts

How To Use?

LUKS

  • cryptsetup luksFormat /dev/<device>

ext4

  • enable encrypt feature flag
  • crypt encrypt <directory>

ZFS

zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase <zpool>/<dataset> - zfs load key -r <zpool>/<dataset> - zfs mount (more info on slides)

Noah uses a key file on the root that unlocks his computer on startup.

How LUKS works

  • LUKS is composed of its header and then multiple key slots that stand between the user and the encrypted data
  • dread pirate Ross got caught with his drive unencrypted, so to avoid this have a drive plugged in that when removed wipe access to the encrypted system altogether.

LUKS recovery

  • make backups
  • pain in the ass to recover

Plausible Deniability

  • done via a LUKS detached header
  • indistinguishable from random data
  • can use a special command to separate the header and use it later #### VeraCrypt
  • Like LUKS detached header but all the time
  • downside - human operator needs to remember all settings
  • fork of truecrypt - might be made by the feds or Vera might be made by the feds
  • can set multiple decryption passwords for a dummy volume and your real volume

Russain man script update

  • recap: I bought drives, but they ended up not working, but we found a Russian guy who could make them work for us using some script.
  • got the script from him, need the firmware file.
  • could someone break into the White House and trick Trump into pardoning them for breaking into the White House?
  • The new bamboo update introduces DRM and firmware locks, dont update.
Retrieved from "https://lug.mtu.edu/w/index.php?title=Minutes_2025-01-23&oldid=7784"