The Sanctuary

Technology => Network (in)Security => Topic started by: aldra on September 19, 2014, 04:37:07 am

Title: Novel Encrypted OS Ideas
Post by: aldra on September 19, 2014, 04:37:07 am

I haven't bothered encrypting my OS lately since the only important stuff is stored in encrypted password containers anyway, but I was thinking of setting it up again just because.

Anyway, I started by reading this article: http://madduck.net/docs/cryptdisk/ - a basic tutorial on setting up dm-crypt/LUKS to boot Debian and preload multiple encrypted volumes by way of a stored keychain. All well and good, but something I found interesting was near the bottom, it indicated you could save the bootloader to a USB device and boot from there, so there'd be no clear /boot partition on the drive. I'd find it rather useful to have the bootloader on a mini USB stick so the system simply would not boot (even to ask for a key) if it was removed - but taking it a step further, we could potentially load the bootstrap via PXE, meaning that the bootloader could be housed on a networked device so it'd only boot if it was connected.

the actual interesting part - Coreboot (http://www.coreboot.org) writes open source BIOS, and includes a module (with very limited support) that allows you to boot PXE over a WLAN connection. Ideally what I'd want to do is create an encrypted DM/LUKS system and save the bootloader as a PXE image - move the PXE image to your phone handset, set it up as a PXE host (ie. https://play.google.com/store/apps/details?id=com.bukerservebeer.bukerpxelite&hl=en), set a boot script on Coreboot to boot from your set APN and path... if all goe to plan, your computer will only ever boot when your phone is nearby with wireless switched on. Because it's the bootloader, you can turn wireless off once the system has started and will only need to turn it back on again if you reboot.

Title: Re: Novel Encrypted OS Ideas
Post by: Rizzo in a box on September 19, 2014, 05:04:23 am

That's a pretty interesting idea. What happens when your phone craps out though?

Title: Re: Novel Encrypted OS Ideas
Post by: aldra on September 19, 2014, 05:18:38 am

you've only got the bootloader there, not necessarily the key to be able to decrypt, so I'd ideallyy have it backed up. If the phone dies, you can set up another PXE source on the network or boot from USB

Title: Re: Novel Encrypted OS Ideas
Post by: silentchemist on September 19, 2014, 04:59:58 pm

I've been reading into similar things myself but due to my lack of knowledge I struggle somewhat