Announcement

**Britoid** · 28 January 2020, 05:37 AM

Silverblue has been using prebuilt initramfs images for a while, I guess it makes a lot of sense.

**rene** · 28 January 2020, 05:39 AM

Pre-built, yet minimal initrd like major distributions such as #t2sde are using? ;-) https://t2sde.org

**oleid** · 28 January 2020, 07:24 AM

Pre-built is fine, as long as you can add additional files, like a local key to decrypt a hard drive (without typing a password).

**lowlands** · 28 January 2020, 08:02 AM

Originally posted by oleid View Post

Pre-built is fine, as long as you can add additional files, like a local key to decrypt a hard drive (without typing a password).

What is the use case for such a setup? Probably stating the obvious but wouldn't "auto-decrypt" defeat the purpose of an encrypted hard drive? I use dracut-sshd to remotely ssh into a booting server to enter the key.

**starshipeleven** · 28 January 2020, 08:12 AM

Originally posted by lowlands View Post

What is the use case for such a setup? Probably stating the obvious but wouldn't "auto-decrypt" defeat the purpose of an encrypted hard drive? I use dracut-sshd to remotely ssh into a booting server to enter the key.

I've heard the same but with TPM, which at least makes it half-way useful (as anyone stealing the drive won't have the device with the key in the TPM to decrypt it).

Congrats on dracut-sshd, btw.

**Britoid** · 28 January 2020, 08:19 AM

Originally posted by lowlands View Post

What is the use case for such a setup? Probably stating the obvious but wouldn't "auto-decrypt" defeat the purpose of an encrypted hard drive? I use dracut-sshd to remotely ssh into a booting server to enter the key.

You would be reliant on the userspace to protect unauthorized access to files, so gdm, etc. You have a chain of trust, so you can verify software hasn't been tampered with, but it would fall apart if there's a bug.

**brent** · 28 January 2020, 08:59 AM

Even if there is a bug with user authorization, auto-decrypt still protects against someone stealing your disk and the likes, with no impact on user experience. And that is arguably an important attack scenario with mobile devices.

You can also use the TPM to strengthen a weak FDE password, which is very useful. This is what iOS and Android do: you typically have a quite short PIN, but it's strengthened with an embedded secure processor, for instance by hashing with a secret key that can not be read at all. So brute-forcing is not feasible in practice.

The downside of this is, of course, that data recovery is impossible if the device breaks. With LUKS, you can have multiple key slots, so you can register an additional (long) passphrase for decryption and store it somewhere safe, but that requries additional setup and additional user actions.

**lowlands** · 28 January 2020, 09:06 AM

Originally posted by starshipeleven View Post

I've heard the same but with TPM, which at least makes it half-way useful (as anyone stealing the drive won't have the device with the key in the TPM to decrypt it).

Thanks, using TPM for storing the key makes sense. Red Hat has an interesting approach where it gets the key from a remote server:

Chapter 12. Configuring automated unlocking of encrypted volumes using policy-based decryption Red Hat Enterprise Linux 8 | Red Hat Customer Portal

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening

Access Red Hat’s knowledge, guidance, and support through your subscription.

**Britoid** · 28 January 2020, 09:07 AM

Originally posted by brent View Post

Even if there is a bug with user authorization, auto-decrypt still protects against someone stealing your disk and the likes, with no impact on user experience. And that is arguably an important attack scenario with mobile devices.

You can also use the TPM to strengthen a weak FDE password, which is very useful. This is what iOS and Android do: you typically have a quite short PIN, but it's strengthened with an embedded secure processor, for instance by hashing with a secret key that can not be read at all. So brute-forcing is not feasible in practice.

The downside of this is, of course, that data recovery is impossible if the device breaks. With LUKS, you can have multiple key slots, so you can register an additional (long) passphrase for decryption and store it somewhere safe, but that requries additional setup and additional user actions.

Windows gets around this by letting you store a recovery key, either on Microsofts servers or as a file. This would probably be the best solution.

Announcement

Fedora Stakeholders Discuss Possibility Of Using Pre-Built Initramfs Images

Fedora Stakeholders Discuss Possibility Of Using Pre-Built Initramfs Images

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment