Wednesday, March 4, 2009

Ubuntu Encrypted Home with 2-Factor Authentication

I've posted recently about
I suspect that last post has some people scratching their heads...

If my encrypted data is accessible from a LiveCD, what protection do I have?


The answer is "two things":
  1. your login passphrase
  2. your mount passphrase (which is encrypted in your ~/.ecryptfs/wrapped-passphrase file)
For obvious reasons, it's important that your login passphrase is strong. This is the passphrase that "guards" your wrapped-passphrase file, if your attacker has access to that too.

Inevitably, however, your login passphrase will be weaker than your mount passphrase, which is a randomly generated 128-bit string.

What can I do about this?

Two-factor authentication!
  1. Something you have (the wrapped-passphrase file)
  2. Something you know (your system login passphrase)
Quite simply, you apply physical access control on the wrapped-passphrase file itself. You can do this quite easily by moving your ~/.ecryptfs/wrapped-passphrase to some form of removable media, like a USB key. This device is then required for you to login to your system and access your encrypted data. Separate the two, and the theif is stuck guessing your 128-bit random mount passphrase. That should take a good eon.

I was able to do this in a couple of simple steps.

  1. I added a line to my /etc/fstab to ensure that my PCMCIA CompactFlash card reader gets mounted on system boot to the same mountpoint everytime. Very important! Something like:
    /dev/sdb1 /media/pcmcia ext3 defaults 0 0
  2. I moved my ~/.ecryptfs/wrapped-passphrase file to /media/pcmcia. For fun, you might consider changing the name of the file to something more obfuscating, like ".trash" or something random like ".ee47d044~".
  3. Create a symlink to that file, into its proper location:
    ln -s /media/pcmcia/.ee47d044~ $HOME/.ecryptfs/wrapped-passphrase
Now, you just need to ensure that you protect that device! Pop it out, if you're leaving your system alone. Keep that device on your person ;-)

Big thanks to Matt Trudel who first suggested this idea to me!

Isn't there another authentication type?

Okay, so there's another form of authentication that's potentially even stronger than the first two I mentioned... Something you are.

We're talking about biometrics here.

Now unfortunately, strong biometric input devices are not currently available for the masses on most portable computers. At this point, eCryptfs does not yet support biometric tokens. However, the design of eCryptfs supports arbitrary PKCS-11 tokens, so it would not take too much effort at all to extend the encrypted-home and encrypted-private conveniences to use biometric calculators as well.

What about fingerprint readers?

I'm sorry, but fingerprint readers are security theatre. The prevailing opinion from security professionals is that fingerprints are perhaps a good replacement for usernames. However, they're really not a good replacement for passwords.

Consider your laptop... How many fingerprints of yours are there on your laptop right now? As such, it's about as secret as your username. You don't leave your password on your spacebar, or on your beer bottle :-)

See the Criticisms section of this wikipedia entry (although it's about Microsoft Fingerprint Readers), it still applies:

:-Dustin

6 comments:

  1. Thanks again, Dustin. Do USB sticks/compact flash have UUIDs as disks as well? Maybe using a UUID for the disk instead of /dev/sdb1 (or what have you) might be better, in case I have multiple storage devices connected to the machine on boot.

    ReplyDelete
  2. Hi Dustin,

    Would it be safe to mount like this:

    UUID=2cc62c00-bc34-467b-ab6a-7d2e6801be85 /home/username/.ecryptfs ext2 defaults 0 0

    This allows you to use other USB sticks also, without them getting mounted there.

    This is how I keep my GPG keys (in .gnupg, of course, instead of .ecryptfs)

    ReplyDelete
  3. I like the idea and details.
    Now your thumb drive becomes critical.

    When you upgrade it or lose it...
    you did back it up on another thumb
    drive right?

    What are the steps, and pitfalls,
    to keeping access to your encrypted
    home?

    Or is it better to keep a backup of
    home and recreate a new encrypted home?

    ReplyDelete
  4. I like the idea and details.
    Now your thumb drive becomes critical.

    When you upgrade it or lose it...
    you did back it up on another thumb
    drive right?

    What are the steps, and pitfalls,
    to keeping access to your encrypted
    home?

    Or is it better to keep a backup of
    home and recreate a new encrypted home?

    ReplyDelete
  5. I moved my wrapper file to a thumb drive and sym-linked to it form .ecryptfs dir. If I login to my session without my thumb drive but later insert it and manually mount my Private dir it works but complains. Here is what it says.

    Enter your login passphrase:

    Unable to read salt value from user's .ecryptfsrc file; using default

    Inserted auth tok with sig [xxxxxxxxxxxxx] into the user session keyring

    Any insite into this would be great! (This is on 8.10)


    I have also noticed that I can remove my thumb drive and unmout and mount my private dir without any issue. I assume that key is cached somewhere. This is concerning because I don't feel I should have to logout in order to protect my private dir again.

    ReplyDelete
  6. Kevin-

    Thanks for the comments.

    I'm sorry, but blog comments are not the best way for me to provide support for these types of questions. Please use Launchpad bugs:

    * https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils

    :-Dustin

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin