From the Canyon Edge: Ubuntu Encrypted Home with 2-Factor Authentication

Wednesday, March 4, 2009

Ubuntu Encrypted Home with 2-Factor Authentication

I've posted recently about

I suspect that last post has some people scratching their heads...

If my encrypted data is accessible from a LiveCD, what protection do I have?

The answer is "two things":

your login passphrase
your mount passphrase (which is encrypted in your ~/.ecryptfs/wrapped-passphrase file)

For obvious reasons, it's important that your login passphrase is strong. This is the passphrase that "guards" your wrapped-passphrase file, if your attacker has access to that too.

Inevitably, however, your login passphrase will be weaker than your mount passphrase, which is a randomly generated 128-bit string.

What can I do about this?

Two-factor authentication!

Something you have (the wrapped-passphrase file)
Something you know (your system login passphrase)

Quite simply, you apply physical access control on the wrapped-passphrase file itself. You can do this quite easily by moving your ~/.ecryptfs/wrapped-passphrase to some form of removable media, like a USB key. This device is then required for you to login to your system and access your encrypted data. Separate the two, and the theif is stuck guessing your 128-bit random mount passphrase. That should take a good eon.

I was able to do this in a couple of simple steps.

I added a line to my /etc/fstab to ensure that my PCMCIA CompactFlash card reader gets mounted on system boot to the same mountpoint everytime. Very important! Something like:
/dev/sdb1 /media/pcmcia ext3 defaults 0 0
I moved my ~/.ecryptfs/wrapped-passphrase file to /media/pcmcia. For fun, you might consider changing the name of the file to something more obfuscating, like ".trash" or something random like ".ee47d044~".
Create a symlink to that file, into its proper location:
ln -s /media/pcmcia/.ee47d044~ $HOME/.ecryptfs/wrapped-passphrase

Now, you just need to ensure that you protect that device! Pop it out, if you're leaving your system alone. Keep that device on your person ;-)

Big thanks to Matt Trudel who first suggested this idea to me!

Isn't there another authentication type?

Okay, so there's another form of authentication that's potentially even stronger than the first two I mentioned... Something you are.

We're talking about biometrics here.

Now unfortunately, strong biometric input devices are not currently available for the masses on most portable computers. At this point, eCryptfs does not yet support biometric tokens. However, the design of eCryptfs supports arbitrary PKCS-11 tokens, so it would not take too much effort at all to extend the encrypted-home and encrypted-private conveniences to use biometric calculators as well.

What about fingerprint readers?

I'm sorry, but fingerprint readers are security theatre. The prevailing opinion from security professionals is that fingerprints are perhaps a good replacement for usernames. However, they're really not a good replacement for passwords.

Consider your laptop... How many fingerprints of yours are there on your laptop right now? As such, it's about as secret as your username. You don't leave your password on your spacebar, or on your beer bottle :-)

See the Criticisms section of this wikipedia entry (although it's about Microsoft Fingerprint Readers), it still applies:

http://en.wikipedia.org/wiki/Microsoft_Fingerprint_Reader

:-Dustin

6 comments:

UnknownMarch 5, 2009 at 10:30 PM
Thanks again, Dustin. Do USB sticks/compact flash have UUIDs as disks as well? Maybe using a UUID for the disk instead of /dev/sdb1 (or what have you) might be better, in case I have multiple storage devices connected to the machine on boot.
ReplyDelete
Replies
Roshan GeorgeMarch 6, 2009 at 5:28 AM
Hi Dustin,

Would it be safe to mount like this:

UUID=2cc62c00-bc34-467b-ab6a-7d2e6801be85 /home/username/.ecryptfs ext2 defaults 0 0

This allows you to use other USB sticks also, without them getting mounted there.

This is how I keep my GPG keys (in .gnupg, of course, instead of .ecryptfs)
ReplyDelete
Replies
LeonardMarch 9, 2009 at 5:55 AM
I like the idea and details.
Now your thumb drive becomes critical.

When you upgrade it or lose it...
you did back it up on another thumb
drive right?

What are the steps, and pitfalls,
to keeping access to your encrypted
home?

Or is it better to keep a backup of
home and recreate a new encrypted home?
ReplyDelete
Replies
LeonardMarch 9, 2009 at 5:56 AM
I like the idea and details.
Now your thumb drive becomes critical.

When you upgrade it or lose it...
you did back it up on another thumb
drive right?

What are the steps, and pitfalls,
to keeping access to your encrypted
home?

Or is it better to keep a backup of
home and recreate a new encrypted home?
ReplyDelete
Replies
KevinMarch 30, 2009 at 7:13 AM
I moved my wrapper file to a thumb drive and sym-linked to it form .ecryptfs dir. If I login to my session without my thumb drive but later insert it and manually mount my Private dir it works but complains. Here is what it says.

Enter your login passphrase:

Unable to read salt value from user's .ecryptfsrc file; using default

Inserted auth tok with sig [xxxxxxxxxxxxx] into the user session keyring

Any insite into this would be great! (This is on 8.10)

I have also noticed that I can remove my thumb drive and unmout and mount my private dir without any issue. I assume that key is cached somewhere. This is concerning because I don't feel I should have to logout in order to protect my private dir again.
ReplyDelete
Replies
Dustin KirklandMarch 30, 2009 at 9:05 AM
Kevin-

Thanks for the comments.

I'm sorry, but blog comments are not the best way for me to provide support for these types of questions. Please use Launchpad bugs:

* https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils

:-Dustin
ReplyDelete
Replies

Add comment

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin

About the Author

Dustin Kirkland (Twitter, LinkedIn) is an engineer at heart, with a penchant for reducing complexity and solving problems at the cross-sections of technology, business, and people.

With a degree in computer engineering from Texas A&M University (2001), his full-time career began as a software engineer at IBM in the Linux Technology Center working on the Linux kernel and security certifications, including a one-year stint as an dedicated engineer-in-residence at Red Hat in Boston (2005). Dustin was awarded the title Master Inventor at IBM, in recognition of his prolific patent work as an inventor and reviewer with IBM's intellectual property attorneys.

Dustin then first joined Canonical (2008) as an engineer (eventually, engineering manager), helping create the Ubuntu Server distribution and establishing Ubuntu as the overwhelming favorite Linux distribution in Amazon, Google, and Microsoft's cloud platforms, as well as authoring and maintaining dozens of new open source packages.

Dustin joined Gazzang (2011), a venture-backed start-up built around an open source project that he co-authored (eCryptFS), as Chief Technology Officer, and helped dozens of enterprise customers encrypt their data at rest and securely manage their keys. Gazzang was acquired by Cloudera (2014).

Having effectively monetized eCryptFS as an open source project at Gazzang, Dustin returned to Canonical (2013) as the VP of Product for Ubuntu and spent the next several years launching a portfolio of products and services (Ubuntu Advantage, Extended Security Maintenance, Canonical Livepatch, MAAS, OpenStack, Kubernetes) that continues to deliver considerable annual recurring revenue. With Canonical based in London, an 800+ work-from-home employee roster and customers spread across 40+ countries, Dustin traveled the world over, connecting with clients and colleagues steeped in rich cultural experiences.

Google Cloud (2018) recruited Dustin from Canonical to product manage Google's entrance into on-premises data centers with its GKE On-Prem (now, Anthos) offering, with a specific focus on the underlying operating system, hypervisor, and container security. This work afforded Dustin a view deep into the back end data center of many financial services companies, where he still sees tremendous opportunities for improvements in security, efficiencies, cost-reduction, and disruptive new technology adoption.

Seeking a growth-mode opportunity in the fintech sector, Dustin joined Apex Clearing (now, Apex Fintech Solutions) as the Chief Product Officer (2019), where he led several organizations including product management, field engineering, data science, and business partnerships. He drastically revamped Apex's product portfolio and product management processes, retooling away from a legacy "clearing house and custodian", and into a "software-as-a-service fintech" offering instant brokerage account opening, real-time fractional stock trading, a secure closed-network crypto solution, and led the acquisition and integration of Silver's tax and cost basis solution.

Drawn back into a large cap, Dustin joined Goldman Sachs (2021) as a Managing Director and Head of Platform Product Management, within the Consumer banking division, which included Marcus, and the Apple and GM credit cards. He built a cross-functional product management community and established numerous documented product management best practices, processes, and anti-patterns.

Dustin lives in Austin, Texas, with his wife Kim and their wonderful two daughters.

Wednesday, March 4, 2009

Ubuntu Encrypted Home with 2-Factor Authentication

6 comments:

Printfriendly

About the Author

Blog Archive

Github Activity

Google Plus

Twitter

StackExchange

Solar Output

Labels