November 22, 2024, 08:43:24 AM

Teres Full Disk Encryption

Started by teres_user12, April 26, 2018, 07:55:25 PM

Previous topic - Next topic

teres_user12

I enjoy teres a lot but how can I increase physical security with full disk encryption? Thank you so much

khumarahn

I am also interested. Of course, encryption will slow down already slow Teres, but it may be important.

I have set up a luks container for the root filesystem and built the initrd with cryptsetup support... The only missing thing is I don't know how to ask for the passphrase on boot, while still in the initramfs. I need to access the keyboard and the console somehow. Does anyone know?

lambda

Maybe the following page is interesting:

http://sunxi.montjoie.ovh/

As for getting keyboard input in initramfs - I suppose it is only necessary to add all the necessary modules for usb input devices (and probably screen output too) the initrd.

HTH,
Harald

alexi

Raspbian has Veracrypt which is continuation of Truecrypt does veracrypt make sense to teres?

How does boot decryption work on arm which isn't have something like grub? thank you

JohnS

grub is available for and commonly used on ARM.

John

khumarahn

I had a free evening and looked at this again.

I built a proof of concept image with root filesystem in a luks container:
https://github.com/khumarahn/teres1-gentoo/blob/master/teres-gentoo-encrypted-20180516.img.torrent?raw=true
All the passwords are "olimex".

Regular images I can compress to less than 1GB, but this one is hard to compress because it is encrypted. So it is an 8GB download.

After I made myself a debugging cable, things went quickly. It was very straightforward to move the root filesystem to a luks encrypted container. To figure out how to unlock the container at boot, I had to read and experiment.

Briefly, this is what worked:
* compile a static version of cryptsetup with kernel as a crypto backend; add it to initramfs
* add the display module to initramfs, also modprobe disp in init
* change init to ask for password on tty1 and unlock the container: https://pastebin.com/EDFwxN1T

It works!!! I am not sure if the encryption is done in the best (safest, fastest) way. Any advice?

My image is as always with gentoo :-) If you want debian or ubuntu, just replace the encrypted partition with a luks container containing the rootfs of your choice. It should work the same.

JC

That's awesome.  Thanks for all of your hard work khumarahn!