From the Canyon Edge -- :-Dustin

Wednesday, March 4, 2009

Ubuntu Encrypted Home with 2-Factor Authentication

I've posted recently about
I suspect that last post has some people scratching their heads...

If my encrypted data is accessible from a LiveCD, what protection do I have?

The answer is "two things":
  1. your login passphrase
  2. your mount passphrase (which is encrypted in your ~/.ecryptfs/wrapped-passphrase file)
For obvious reasons, it's important that your login passphrase is strong. This is the passphrase that "guards" your wrapped-passphrase file, if your attacker has access to that too.

Inevitably, however, your login passphrase will be weaker than your mount passphrase, which is a randomly generated 128-bit string.

What can I do about this?

Two-factor authentication!
  1. Something you have (the wrapped-passphrase file)
  2. Something you know (your system login passphrase)
Quite simply, you apply physical access control on the wrapped-passphrase file itself. You can do this quite easily by moving your ~/.ecryptfs/wrapped-passphrase to some form of removable media, like a USB key. This device is then required for you to login to your system and access your encrypted data. Separate the two, and the theif is stuck guessing your 128-bit random mount passphrase. That should take a good eon.

I was able to do this in a couple of simple steps.

  1. I added a line to my /etc/fstab to ensure that my PCMCIA CompactFlash card reader gets mounted on system boot to the same mountpoint everytime. Very important! Something like:
    /dev/sdb1 /media/pcmcia ext3 defaults 0 0
  2. I moved my ~/.ecryptfs/wrapped-passphrase file to /media/pcmcia. For fun, you might consider changing the name of the file to something more obfuscating, like ".trash" or something random like ".ee47d044~".
  3. Create a symlink to that file, into its proper location:
    ln -s /media/pcmcia/.ee47d044~ $HOME/.ecryptfs/wrapped-passphrase
Now, you just need to ensure that you protect that device! Pop it out, if you're leaving your system alone. Keep that device on your person ;-)

Big thanks to Matt Trudel who first suggested this idea to me!

Isn't there another authentication type?

Okay, so there's another form of authentication that's potentially even stronger than the first two I mentioned... Something you are.

We're talking about biometrics here.

Now unfortunately, strong biometric input devices are not currently available for the masses on most portable computers. At this point, eCryptfs does not yet support biometric tokens. However, the design of eCryptfs supports arbitrary PKCS-11 tokens, so it would not take too much effort at all to extend the encrypted-home and encrypted-private conveniences to use biometric calculators as well.

What about fingerprint readers?

I'm sorry, but fingerprint readers are security theatre. The prevailing opinion from security professionals is that fingerprints are perhaps a good replacement for usernames. However, they're really not a good replacement for passwords.

Consider your laptop... How many fingerprints of yours are there on your laptop right now? As such, it's about as secret as your username. You don't leave your password on your spacebar, or on your beer bottle :-)

See the Criticisms section of this wikipedia entry (although it's about Microsoft Fingerprint Readers), it still applies: