{{Header}} {{title|title= Full Disk Encryption (FDE) }} {{#seo: |description=Full Disk Encryption, Additional Security Measures |image=Fulldeskencryption423423.jpg }} {{fde-mininav}} {{physical-mininav}} {{intro| Full disk encryption (FDE) is a way to protect the contents of an entire hard drive from unauthorized access. It works by encrypting all the data stored on the disk, including the operating system and applications. This means that if someone gains physical access to the computer or removes the hard drive, they won't be able to read the data without the correct password or encryption key. FDE can help protect sensitive information such as financial data, personal information, and trade secrets. }} {{Contributor| |status=stable |about=About this {{Code2|{{PAGENAME}}}} Page |difficulty=easy |contributor=[https://forums.whonix.org/users/HulaHoop HulaHoop] |support=[[Support]] }} [[File:Fulldeskencryption423423.jpg|thumb]] = Introduction = == Essentials == {{fde}} can protect data at rest from physical access such as a stolen hard drive in case a computer or notebook gets stolen. Data at rest means, that a full disk encrypted computer is powered off. To provide sufficient security from password cracking brute force attempts, it is required to use strong passwords. See [[Passwords]]. In an advanced [[Threat_Modeling|threat model]] it is also required that the FDE key has also been already decayed from the computer's volatile memory (RAM) so it cannot be extracted from there either. See also [[Cold Boot Attack Defense]]. == Full Disk Encryption versus Malware == Full disk encryption is generally not designed to defeat [[Malware and Firmware Trojans|malware]]. == Encrypting {{project_name_long}} VMs == This is currently [[unsupported]] and does not provide any additional protection. The [[Encrypted Images]] wiki page provides a detailed explanation, with the conclusion noting:
The host of security considerations suggest that an unrealistic set of operational rules are required to defend the integrity of a purely encrypted guest image. Use of Full Disk Encryption (FDE) is recommended instead.== Plausible Deniability - Deniable Encryption == {{fde}} software plausible deniability is only effective in jurisdictions that have human rights and follow the rule of law. In scenarios where one might face indefinite detention or worse, it is actually better to avoid using plausibly deniable encryption feature. According to game theory, the adversary incurs a negligible cost by prolonging torture or incarceration for the captive while the ''reward'' of finally breaking the victim is much greater, in case there was actually anything to be found. https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm In group scenarios, using deniable encryption is a strong disincentive against the captured member "defecting" to save themselves since they cannot prove to the captor their loyalty. https://embeddedsw.net/doc/physical_coercion.txt At time of writing (October 2024), there are no known ways to accomplish FDE with plausible deniability on any Linux distribution. This is because cryptsetup which is used for FDE on Linux doesn't support plausible deniability. Cryptsetup is an independent software project. Such a feature would need to be implemented in cryptsetup, which would be an extremely complicated development task. Cryptsetup, upstream feature request: [https://gitlab.com/cryptsetup/cryptsetup/-/issues/7 Plausible deniability support for LUKS] was rejected. For reasons, see [https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md?ref_type=heads#5-security-aspects cryptsetup FAQ] and search for {{CodeSelect|inline=true|code=Plausible Deniability}}. == Measures Against Non-violent Coercion == Even in relatively civilized states, the laws have been misconstrued to make civil liberties protections at the border weaker. In the case of the US, the Fourth Amendment can be violated at will by customs officers. This section assumes a scenario where one is compelled to divulge passwords without measures involving physical harm or indefinite imprisonment. In such situations it is always recommended to exercise your right to remain silent and to request a lawyer. Your devices will most likely be impounded and therefore backups of important data should be made beforehand. * This [https://www.eff.org/press/releases/digital-privacy-us-border-new-how-guide-eff EFF Guide] provides advice and outlines your rights at the border. Tips like storing key material in the cloud should be ignored. * A [https://www.cypherpunks.ca/~iang/pubs/shattersecrets-spw18.pdf clever technique] (page 3) proposed by OTR's designer, Ian Goldberg, uses Shamir's Secret Splitting Scheme to split a key-file and distribute it among trusted friends to make producing the key a physical impossibility. * Cryptographer Bruce Schneier outlines a simpler variant of the above technique. A new random string is added as a password and then passed along to a trusted person, with the usual password being removed before crossing the border. After arriving, the key to access the drive can be retrieved and the original one re-added. https://www.schneier.com/blog/archives/2009/07/laptop_security.html == Physical Access == {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = It is safest to assume that a machine has been compromised after any unauthorized physical access. }} If unauthorized access is strongly suspected or confirmed, the hardware should not be trusted or used after it is back in your possession. This scenario is only relevant to a small minority who are already targeted for physical surveillance. A sufficiently skilled adversary can infect it with spyware or sabotage it in a number of ways that are virtually undetectable. For example, malicious firmware could be installed to record all activities, or the machine rendered inoperable by bricking the hardware. In that eventuality, none of the measures outlined in this chapter will help. == Protection Against Powerful Adversaries == As noted above, advanced attackers have virtually limitless possibilities to infect a computer under their physical control, such as flashing low-level firmware or adding physical implants. [[Full_Disk_Encryption#Plausible_Deniability_-_Deniable_Encryption|Plausible deniability]] and Full Disk Encryption (FDE) are also useless if subjected to physical abuse by a captor. A safer option is to have not left any discoverable data traces on a personal machine in the first place. See [[Live Mode]] and [[Anti-Forensics_Precautions|Anti-Forensics Precautions]]. To protect against theft of personal information or data, FDE should be applied on the host, and the computer turned off when exposed to higher-risk situations like traveling. In the case of laptops, the battery should be temporarily removed after powering off. This ensures that the RAM chips are completely powered down and that any encryption key(s) in memory are erased. * https://security.stackexchange.com/questions/99906/can-ram-retain-data-after-removal * https://security.stackexchange.com/questions/99906/can-ram-retain-data-after-removal/100391#100391 See also [[Cold Boot Attack Defense]]. Sleep mode: * Hibernation is also a safe alternative because the swap partition is encrypted in the default FDE configuration for various platforms (like Debian), so long as no changes were made. * Suspend to RAM is insecure. Be sure to follow the standard advice for picking [[Passwords#Generating_Unbreakable_Passwords|strong and unique passphrases]], so they cannot be feasibly brute-forced. Also, computers should never be left unattended in untrusted venues. = Debian Hosts = Configuring FDE during system install is straightforward. The default cipher is AES-256 in XTS mode. Debian's installer supports setting up FDE. = Kicksecure Hosts = The {{project_name_short}} [[ISO]] installer also supports setting up FDE. = Removable Media = == New Removable Media == Gnome Disks Utility creates LUKS partitions with AES-128 by default which is insufficient in event of quantum computers materializing. This has been successfully reported and fixed upstream as of February 2019, https://github.com/storaged-project/libblockdev/issues/416 https://github.com/vpodzime/libblockdev/commit/9dc4e2463860810cac5a1dbfb7064c47200260f6 but until it lands in Debian, an appropriately secure container must be manually created. Afterwards, unlock the device and format the internal filesystem as EXT4 in Gnome Disks. First enumerate the device. They will usually be called 'sdb1', as sdaX is reserved for the system on default installs. To avoid confusion, only connect one removable device at a time. {{CodeSelect|code= sudo ls /dev/ }} Create a LUKS container and change the device name as needed, then follow the prompts. {{CodeSelect|code= sudo cryptsetup --verbose --use-random --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-random luksFormat
Ctrl+C
) and it will automatically restart from where it left off if temporary header files are present in the home directory. https://asalor.blogspot.com/2012/08/re-encryption-of-luks-device-cryptsetup.html
}}
= Encrypted Containers =
Encrypted containers have the twin advantages of flexibility and mobility of folders, allowing more files to be added on the fly without needing re-compression and re-encryption (as in the case of using GPG).
== Zulucrypt ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = As of the next point release in {{project_name_short}} 15, Zulucrypt is included by default. In the {{project_name_short}} command line version, containers can be managed from the terminal with zulucrypt-cli
.
}}
Zulucrypt is the Linux answer to encrypted containers, making use of the reliable LUKS disk encryption specification. It is compatible with encrypted [https://www.dyne.org/software/tomb/ tomb files] and also capable of reading and creating Truecrypt / [https://www.veracrypt.fr/en/Home.html VeraCrypt] containers. Note that Veracrypt containers only support a maximum password length of 64 characters, but LUKS has a maximum value of 32,767 (although a recently fixed bug had limited it to only 100 characters). https://github.com/mhogomchungu/zuluCrypt/issues/113 Until it is possible to use 20-word diceware passphrases to lock LUKS containers, it is recommended to use [[Passwords#Guidelines|makepasswd]] to generate 43 character strings. These can then be pasted into a text file that is encrypted with GPG -- which does not have low character limits -- essentially creating a makeshift key file.
Containers grow dynamically as more data is added. Opened containers are mounted under /run/media/private/user
. More than one password may be added for access, making use of LUKS' key slots feature behind the scenes. https://crypto.stackexchange.com/questions/24022/luks-multiple-key-slots-whats-the-intuition
For further usage instructions please consult the official [https://github.com/mhogomchungu/zuluCrypt/blob/master/docs/zuluCrypt.pdf manual].
=== Recommended Security Settings ===
Important Note: In order to have post-quantum resistance, the aes.xts-plain64.512.sha512
option is recommended for 256-bit encryption (the encryption key-size is split in two with XTS mode).
To view the container header, run.
{{CodeSelect|code=
sudo cryptsetup luksDump --debug /home/user/.xts-plain64.512.sha512
variants in all cases. Each inner layer should be 1 MB less than the outer layer to allow space for each container's respective encryption header.
The [[Full_Disk_Encryption#Plausible_Deniability_-_Deniable_Encryption|Plausible deniability]] feature is available with volume types Normal+Hidden Truecrypt/Veracrypt
. Veracrypt volumes support crypto-cascades as a feature, so manual nesting is unnecessary. However, be warned that Truecrypt/Veracrypt volume types only support AES-128. Plain dm-crypt containers with a non-zero offset can be used to provide hidden volumes according to Zulucrypt's manual. This is yet to be tested by {{project_name_short}} developers.
= Additional Measures =
'''Table:''' ''Additional Protective Measures''
{| class="wikitable"
|-
! scope="col"| '''Measure'''
! scope="col"| '''Description'''
|-
! scope="row"| Anti Evil Maid
| [[AEM|Evil Maid Attack]]
|-
! scope="row"| Erase LUKS Header
|
This is a much quicker alternative to zeroing data on a HDD with [https://dban.org/ Darik's Boot and Nuke (DBAN)]. https://en.wikipedia.org/wiki/Darik's_Boot_and_Nuke DBAN also warns: While DBAN is free to use, there’s no guarantee your data is completely sanitized across the entire drive. It cannot detect or erase SSDs and does not provide a certificate of data removal for auditing purposes or regulatory compliance. Hardware support (e.g. no RAID dismantling), customer support and software updates are not available using DBAN.This is an effective measure on spinning HDDs where wiped data is confirmed to be destroyed. The OS only needs to read the LUKS header off disk once – not every single second. Wiping the header makes the disk impossible to unlock in the future. https://superuser.com/questions/1168928/wipe-luks-partition-in-pre-boot/1177362 Replace
/dev/sdXY
with the encrypted partition. Reply YES
to the prompt.
{{CodeSelect|code=
sudo cryptsetup luksErase /dev/sdXY
}}
Alternatively, to accomplish the same goal without being prompted, run.
{{CodeSelect|code=
sudo dd if=/dev/zero of=/dev/sdXY bs=1M count=2
}}
This will overwrite the first two megabytes of the partition /dev/sdXY
, which should cover the entire LUKS encryption header for version 1. If you are using LUKS2 with cryptsetup version 2.1.0 (Debian Buster default) the default header size is now 16MiB. Previous cryptsetup versions used a 4MiB LUKS2 header. In that case, simply adjust the dd command: dd if=/dev/zero of=/dev/sdXY bs=1M count=16 (or count=4). Determine your header size with the cryptsetup luksDump --debug Killer
https://github.com/Lvl4Sword/Killer
is a newer project that supports a range of trigger actions to shutdown a system in the case of tampering (disallowed changes) with USB, Bluetooth, AC, Battery, Disk Tray, and Ethernet. In the future, custom commands will be supported besides shutdown.
https://github.com/Lvl4Sword/Killer/issues/48
Once the program is packaged, it is intended to provide this software in the {{project_name_short}} repositories for Debian hosts.
|-
! scope="row"| LUKS Suspend Scripts
| On Linux hosts, there is one interesting solution for the risks posed by a computer in a suspended state; luks-suspend scripts. https://github.com/vianney/arch-luks-suspend/issues/7 This approach has some limitations because it is not yet packaged for Debian, and it has only been tested in the Ubuntu and Arch distributions. As of 2018, luks-suspend and keyslot nuking (mentioned below) is being merged upstream. https://blog.freesources.org/posts/2018/06/debian_cryptsetup_sprint_report/ As of 2020 cryptsetup-suspend
is now available in Debian Bullseye and Buster Backports, requiring Linux 5.6+. Keep in mind that while it protects LUKS keys by removing them from memory, other sensitive keys (GPG and SSH) and documents opened since last boot will still be present and extractable from RAM. Other daemons need to independently support key sanitization on suspend for enhanced protection. https://blog.freesources.org//posts/2020/08/cryptsetup-suspend/
|-
! scope="row"| Magic Key Feature
| In an emergency, [[{{non_q_project_name_short}}|{{non_q_project_name_short}}]] is capable of powering-off the computer immediately via the Magic SysRq key feature. This is invoked by pressing the key combination: Alt
+ PrintScreen
+ o
(lower-case letter). On bare-metal linux systems, the FDE passphrase is prompted after rebooting. https://en.wikipedia.org/wiki/Magic_SysRq_key https://www.thegeekstuff.com/2008/12/safe-reboot-of-linux-using-magic-sysrq-key/ https://phabricator.whonix.org/T553 /boot
Partition
| {{anchor|encrypted_boot}}
An encrypted /boot
partition has some advantages but it's imperfect because the bootloader is still necessarily unencrypted. To read more on this subject, see [https://twopointfouristan.wordpress.com/2011/04/17/pwning-past-whole-disk-encryption/ Pwning Past Whole Disk Encryption]. Article [https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html Full disk encryption, including /boot: Unlocking LUKS devices from GRUB] might be helpful.
* https://stackoverflow.com/questions/3655516/does-encryption-guarantee-integrity
* https://github.com/QubesOS/qubes-issues/issues/2442
* https://github.com/QubesOS/qubes-issues/issues/6151
A signed /boot
partition (next point) however is more important than a encrypted boot partition.
Considered not useful and [https://forums.whonix.org/t/fs-verity-in-linux-5-4/8911/30 measured boot] considered superior:
* https://bugs.launchpad.net/ubuntu/+source/calamares/+bug/2016912
Only GRUB supports encrypted /boot
.
Using GRUB to unlock /boot
comes with several disadvantages.
* No keyboard layout support: Only US keyboard layout is supported. Other local keyboard layouts are unsupported. If the user has chosen a full disk encryption password in calamares in their local keyword, chances are that this password will not work.
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686817
* https://github.com/calamares/calamares/issues/1203
* https://savannah.gnu.org/bugs/index.php?65113
* No password feedback: No asterisk sign ("*
") is shown during password entry. There is also no option to enable such a feature. The user must type the password "blind" without knowing how many characters have been typed already.
* Slow decryption: Takes much longer to decrypt.
* No retry: If the password has been entered wrong, GRUB drops to a recovery shell. The user might type (the first few) characters of its password again making it visible to anyone shoulder surfing.
* Slow development: LUKS2 and Argon2 was unavailable in GRUB for a long time.
* No dracut support: At time of writing (Debian 12), entering the password twice was required. Once for GRUB and once during initrd.
|-
! scope="row"| Signed /boot
Partition and Bootloader (Verified Boot)
| [[Verified Boot]] in theory but not yet available for (security-focused) Linux distributions such as Debian, {{Kicksecure}} and Qubes OS.
|-
! scope="row"| Separate /boot
Partition
| When FDE is used on the host, it is inadvisable to keep any (unencrypted) partitions such as the /boot
partition and bootloader on that same physical media which resides in a notebook which is sometimes left unattended. High risk users should move the /boot
partition to a separate USB (or other external) media and the bootloader (Grub) should also be installed on the separate USB.
|-
! scope="row"| TRESOR Kernel Patch
| Another useful protection is the [https://en.wikipedia.org/wiki/TRESOR TRESOR] [https://www.cs1.tf.fau.de/research/system-security-group/tresor-trevisor-armored/ kernel patch], which keeps the disk encryption key outside of RAM by storing it inside the CPU. TRESOR does have several limitations. It is only available for the x86 architecture, and it complicates software debugging by disabling DR registers for security reasons. https://security.stackexchange.com/questions/89301/was-tresor-integrated-in-the-linux-kernel/119835#119835 Moreover, a specialized attacker who can reverse engineer hardware designs is also capable of extracting secrets held in processor caches or specialized chips like TPMs.
|-
! scope="row"| USBKill
|
* [https://en.wikipedia.org/wiki/USBKill USBKill] is an anti-forensics script written in the aftermath of the SilkRoad trial. Its purpose is to trigger protection events that prevent adversaries from siphoning files, installing malware, or running a mouse jiggler. The script creates a white-list of allowable USB devices. If anything else is plugged into the machine, the RAM is erased and the computer is immediately shutdown.