Comments (15)
I looked into this a little bit deeper recently: openzfs/zfs#9376 In theory with LUKS there is a tamper proof solution and it looks like I don't fully understand the boot process of encrypted systems. I'll read more in the topic. I decided to finish it off after many months of procrastination.
from how-to-secure-a-linux-server.
Unfortunately, secureboot doesn't go far enough on its own since it can 1. be disabled and 2. doesn't verify enough. I'd recommend taking a look at mortar for both more information and a solution. Good luck out there!~
from how-to-secure-a-linux-server.
@hellresistor while that is absolutely more effective then not encrypting, It does have two major caveats.
One, the administrator will need to physically be with the server in event of a power reset, meaning a server could be down for potentially an extended period of time.
Two, there is no mechanism to verify integrity of the unencrypted boot data on the disk. You could more easily get around this by having the entire boot/ESP partition on your thumb drive, but I'd still then raise point 1 as a concern. There is also the very unlikely risk of duplication of the pendrive. Might seem paranoid but if you had multiple admins, there's no real way to know it hasn't been copied.
Not trying to shamelessly advertise, but mortar does fix both of these issues. :P
from how-to-secure-a-linux-server.
Yes, I would add it to the document if you can tell me the steps?
from how-to-secure-a-linux-server.
Okay. I'll try to research it in the following days, maybe weeks and try it out on my microserver. I have found this so far: https://unix.stackexchange.com/questions/423666/secureboot-with-uefi-bootloader-and-grub2-only
from how-to-secure-a-linux-server.
I too will look into this.
from how-to-secure-a-linux-server.
@imthenachoman Thanks!
from how-to-secure-a-linux-server.
@noahbliss Thanks! I'll check it. A read a lot more in the topix since october. Secure boot just verifies the boot loader, but if you want to verify the kernel, initrd, etc, then you have to have a boot loader that is capable of that. The rest of the system can be encrypted. I think this protects from an "evil maid", so she cannot add a keylogger for example when you are not home and she cannot copy and sell your data either. But she can still replace your keyboard or add a camera somewhere to get your password, so it is not 100% protection. If you add an SSH server to the boot loader, then you open up the system to MITM attack on the local network e.g. ARP poisoning, because the maid can access the private key of that SSH server. I guess there are a lot more MITM scenarios, so giving the key remotely is not the best option. Maybe adding some sort of hardware to store the key and ask for passphrase after power shortage is a good solution. I need to think about it.
from how-to-secure-a-linux-server.
I wrote a lot about what I found here: https://forums.freebsd.org/threads/what-kind-of-encryption-do-you-recommend.74474/#post-456003
But that is BSD. From Linux perspective I would recommend ZFS with native encryption because it increases the performance a lot compared to LUKS or GELI (in the case of BSD). It does not need to decrypt the blocks to verify the checksum and fix data corruption unlike LUKS or GELI.
from how-to-secure-a-linux-server.
@Inf3rno you're absolutely right. The way I got around those issues was:
Bootloader support solved by: No bootloader except the EFI-bootable linux kernel directly.
Secureboot 1-file limit solved by: combining the cmdline, kernel, and initramfs into a single file then signing it.
Secure key storage solved by: binding the luks key in the TPM module to PCRs 1 and 7 ensuring that secureboot is functioning, using our CA, and booting a file with a valid signature.
Happy to elaborate if you'd like. I actually use this model as a root-of-trust with extended filesystems from there. E.g. right now I have gocryptfs on btrfs with its key inside of /etc but /etc itself is in luks with its key in the TPM. So it all unrolls correctly. ^_^
All of this automated through upgrade hooks. Pretty convenient.
from how-to-secure-a-linux-server.
@noahbliss I think we should continue this in your repo. Maybe I can contribute somewhat. I am relative good at organizing code.
from how-to-secure-a-linux-server.
search about Devora project on gitlab. maybe have a start point
from how-to-secure-a-linux-server.
As far as I understand, a secure boot should help to prevent a break from a VM hosting provider (supervisor). But it may not be possible for some types of VM virtualizations (KVM?).
from how-to-secure-a-linux-server.
for a physical server control I suggest create a Pen-USB contains a bootloader with a encrypted keyfile with password to boot into HDD OS ;)
Everytime you need reboot server, you need put the usb pen ;) else is "impossible" access to the encrypted partitions.
from how-to-secure-a-linux-server.
Not trying to shamelessly advertise, but mortar does fix both of these issues. :P
we both are talking different level of server control/access/paranoid, obviously ;) "shamelessly advertise" seems a bit rude words ;) (i have faith was a language spelling misunderstanding ^^ )
also, nice work! ;) will check that
from how-to-secure-a-linux-server.
Related Issues (20)
- Translate into Mandarin HOT 2
- SSH options HOT 2
- psad fails to update signatures HOT 1
- Implementing Post‑quantum Cryptography
- Gmail SMTP: You can no longer use the account's password HOT 2
- exim4 Gmail - TLS connection errors / "Authentication Required" HOT 3
- SSH keypair not able to login with passpharase HOT 1
- Fail2ban fails on fresh Debian12
- Disabling bash history on root account? HOT 3
- HashKnownHosts set to yes HOT 4
- psad missing ufw log setting
- sshd_config compression option no longer a security risk HOT 1
- sshd_config protocol 1 support completely removed resulting in protocol option being removed
- [Ubuntu 24.04] Error: fail2ban [5004]: ERROR No module named 'asynchat'
- Version this guide and create tags
- Ubuntu Guide is Unreachable HOT 1
- Suggestion: UFW Firewall for Cloudflare
- Please add Postgres section HOT 2
- Conflicting statements on CIS benchmarks HOT 1
- A dead article. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from how-to-secure-a-linux-server.