0 просмотров
Рейтинг статьи
1 звезда2 звезды3 звезды4 звезды5 звезд
Загрузка...

Use the hardware-based full disk encryption of your TCG Opal SSD with msed

My blog post on usable hardware-based SSD encryption has seen a great deal of activity. Although that post dealt primarily with the ATA security based type of hardware-based full drive encryption, readers from all over joined the discussion in the comments to talk about an increasing number of new self-encrypting drives supporting the TCG Opal standard.

Up until recently, configuring these TCG Opal drives was only possible under Windows, or under Linux with a commercial solution that was not available to mere end-users. Fortunately, a programmer named r0m30 stepped up to the challenge and has developed an open source utility called msed and an accompanying pre-boot authorization (PBA) image with which the super fast encryption function on these drives can be fully configured and used also in pure Linux systems.

This post summarises how I built, configured and installed msed and its PBA on my Ubuntu 14.04.1 machine with its Samsung 850 PRO 512G TCG Opal-compliant SSD.

Читать еще:  Чистая установка Windows 8.1

(FDE) Full disk encryption — Howto / tutorial out there?

Post by Allamur » Wed Nov 22, 2017 5:00 pm

I’m very interested in having my NAS (Currently running an ODroid XU4) encrypted.
There’s a rather old ticket open mentioning this feature, but nobody seems to care anymore.
-> https://github.com/Fourdee/DietPi/issues/245

Is there a tutorial, howto or something like that to have a fully encrypted RootFS?
(I’m more than willing to learn and invest time to achieve that)

The ideal solution for me would be having a PIN encrypted USB-Stick (there are several on the market) with a keyfile on it, plug that in at boottime and the NAS boots after reading the keyfile from it.

There’s already a tutorial for the RaspberryPi but it has to be adapted for other boards than the RaspberryPi, I think:
https://github.com/NicoHood/NicoHood.gi . n-Tutorial

I’ve found a tutorial for having a keyfile on a thumbdrive for booting up — but again, I cannot use that alone for this:
https://gist.github.com/martijnvermaat/2726386
or
http://willhaley.com/blog/unlock-luks-v . h-usb-key/

And cryptsetup seems to have the ability to reencrypt not-encrypted directories
https://www.systutorials.com/docs/linux . reencrypt/

Disclaimer:
I won’t explain WHY I want to do that. I just want to know HOW — hopefully this’ll prevent offtopic-discussions

Re: (FDE) Full disk encryption — Howto / tutorial out there?

Post by johnvick » Wed Nov 22, 2017 6:54 pm

I looked at doing similar but the XU4 kernel does not contain the ecryptfs module so my research came to a dead end.

However the Banana Pi kernel does have this module. I used the following tutorial to set up an encrypted folder or virtual drive (not whole drive) and decryption/mounting is triggered by the insertion of a USB drive, using a udev rule and a custom script.

Re: (FDE) Full disk encryption — Howto / tutorial out there?

Post by Allamur » Wed Nov 22, 2017 8:37 pm

Читать еще:  Как убрать пин код входе. Как разблокировать телефон, если вы забыли пароль, пин-код или графический ключ. Теория о Pin-кодах на Android

Re: (FDE) Full disk encryption — Howto / tutorial out there?

Post by johnvick » Wed Nov 22, 2017 8:52 pm

I believe ecryptfs is in Armbian based DietPi distros’ kernels for some devices (Banana, Orange devices) but not the kernels used for XU4. But I’m not an authority on the subject, just a user.

You could maybe ask Meveric in the Odroid forums to include this module in next XU4 kernel update.

Re: (FDE) Full disk encryption — Howto / tutorial out there?

Post by Allamur » Thu Nov 23, 2017 4:17 pm

I think we mixed up something.
ecryptFS is not necessary for the goal of fde.
cryptsetup/LUKS is the way to go:
http://thesimplecomputer.info/encrypt-y . d-10-steps

And cryptsetup is working fine on a XU4 — I’ve tested that already

Re: (FDE) Full disk encryption — Howto / tutorial out there?

Post by johnvick » Thu Nov 23, 2017 6:22 pm

Re: (FDE) Full disk encryption — Howto / tutorial out there?

Post by Allamur » Sat Nov 25, 2017 7:49 am

I daisychain this with my raid and put the rootfs onto my raid. I really have to test this.

EDIT: This won’t work with my cloudshell 2 — you cannot plug a USB 3.0 drive to the eSata port of the cipherchain. Just a USB device on the «host-port» to the XU4 — but that’s not enough.

The CipherUSB offered on the same page doesn’t fullfil my requirement to have some kind of second-factor auth (hardwarekey or pin input)

Re: (FDE) Full disk encryption — Howto / tutorial out there?

Post by Allamur » Sat Dec 09, 2017 9:11 pm

Found this tutorial — which could be used. it’s way to much work for me to adapt that to my actual needs.
https://blog.getreu.net/_downloads/encr . d1-nas.pdf
But I’m doing something else. I just want to protect my nextcloud data — so I’m trying a different approach. But I need a backup first, which could take a few days to get another harddrive and rsync the data to it.

Читать еще:  Как восстановить Windows при помощи встроенных средств?

I want to encrypt the MariaDB database with this:
https://www.percona.com/blog/2016/04/08 . ncryption/
Ideally the encryption key is on an hardware-encrypted pendrive at boottime — otherwise the database can’t be started properly.

In terms of the nextcloud data, ecryptfs may be of use. I’ve tested that and it runs pretty smooth.
I can put the encryption key on an pin-encrypted thumbdrive and run the decryption/mounting without userinteraction, here’s a pretty good description how to do that:
https://www.maketecheasier.com/create-a . -ecryptfs/

But there has to be a udev rule to automatically mount the encrypted pendrive to a specific directory before the mariadb starts and the datadirectory of nextcloud is mounted by ecryptfs, then run a ecryptfs mountscript — here’s a good hint:
https://unix.stackexchange.com/question . i-mount-it

I need to test if udev detects the pendrive at boot, runs the script automatically and everything before the database is fully loaded.

EDIT: Another — probably working — hardware solution:
http://hiddn.no/cocrypt-b/

But it just has a USB 2.0 passthrough hub, which will definitely decrease the speed of the harddrives. I don’t know how much — I’m trying to get that device via my workplace, but this will need a little.

Re: (FDE) Full disk encryption — Howto / tutorial out there?

Post by johnvick » Sat Dec 09, 2017 11:35 pm

This is exactly what I do, an ecryptfs folder on BananaPi mounted by udev rule that is activated when a USB drive containing the password is inserted.

Ссылка на основную публикацию
Статьи c упоминанием слов:
Adblock
detector