• LUKS practice and a ?

    From paulie420@700:100/71 to All on Sun Sep 11 13:06:23 2022
    So I have my main data partition LUKS encrypted; I don't encrypt the boot partition because I've read some of the pros/cons and don't think I NEED to - thoughts?

    I created a script that uses the 'poweroff' command and linked it to an alias that I can quickly run from the CLI... its also keybound so I can press quickly to do the same from the desktop.

    I haven't done this yet, but I'm thinking about adding some sort of encrypted sub-folder within that open LUKS partition for when I'm logged in and using the device - this dir could be locked down with highly sensitive data, so that ITS locked even when the machine is on.

    And my questions...
    Do you think I should have the ENTIRE drive LUKS encrypted, including the boot partition? Why?
    Do you do anything different, or does anyone have any tips on my setup? I knew I wanted a quick shutdown method and chose that 'poweroff' command b/c it literally shuts power immediately; if I'm ever pulled away from the machine with some ruse I can always choose to execute that command...

    I'd love to hear what methods you incorporate to secure yer data. Cheers, guys and gals.



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
    * Origin: 2o fOr beeRS bbS >> 20ForBeers.com:1337 (700:100/71)
  • From Greenlfc@700:100/71 to paulie420 on Wed Sep 14 09:31:29 2022
    As always, it depends on your threat model and paranoia level, but most Linux flavors do just fine with full disk encryption using LUKS. I'm *not* an expert; I usually just use the guided setup unless something goes horribly awry.

    Check out the BusKill; I've been wanting to make my own knockoff for a while and just haven't gotten around to it. It'll work with any *nix, but the Qubes guide is here: https://www.buskill.in/qubes-os

    GreenLFC º e> greenleaderfanclub@protonmail.com
    Infosec / Ham / Retro º masto> GLFC@mstdn.starnix.network
    Avoids Politics on BBS º gem> gemini.greenleader.xyz

    --- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
    * Origin: 2o fOr beeRS bbS >> 20ForBeers.com:1337 (700:100/71)
  • From paulie420@700:100/71 to Greenlfc on Wed Sep 14 16:43:09 2022
    As always, it depends on your threat model and paranoia level, but most Linux flavors do just fine with full disk encryption using LUKS. I'm *not* an expert; I usually just use the guided setup unless something
    goes horribly awry.

    Same here; except I've had systems with the /boot part encrypted too. However I'd a primadonna and I like using Plymouth to make the encryption unlock l00k all pretty - when /boot is encrypted, you have to unlock before GRUB so no pretty sauce. I feel like having the main / and /home partitions LUKS'd is protection enough...

    Check out the BusKill; I've been wanting to make my own knockoff for a while and just haven't gotten around to it. It'll work with any *nix,
    but the Qubes guide is here: https://www.buskill.in/qubes-os

    Oh neat, thanks for sharing that. As stated I was just using a script w/ poweroff - but will l00k into this option. I don't neeed INSANE protection, but I would like to know I have SOME security so I don't pull a Dread Pirate mistake.



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
    * Origin: 2o fOr beeRS bbS >> 20ForBeers.com:1337 (700:100/71)
  • From Greenlfc@700:100/71 to paulie420 on Thu Sep 15 13:22:29 2022
    On 14 Sep 2022, paulie420 said the following...

    Check out the BusKill; I've been wanting to make my own knockoff for while and just haven't gotten around to it. It'll work with any *nix but the Qubes guide is here: https://www.buskill.in/qubes-os

    Oh neat, thanks for sharing that. As stated I was just using a script w/ poweroff - but will l00k into this option. I don't neeed INSANE protection, but I would like to know I have SOME security so I don't
    pull a Dread Pirate mistake.

    The great thing is using it with a breakaway magnetic cable. Your laptop is snatched (or you struggle) and it's locked or shut down (I would do both - lock it and run the poweroff script immediately after), depending on your script. You could do it with a regular USB stick, you just have to be more mindful when you get jumped, whether it's normal thugs or thugs with badges.

    GreenLFC º e> greenleaderfanclub@protonmail.com
    Infosec / Ham / Retro º masto> GLFC@mstdn.starnix.network
    Avoids Politics on BBS º gem> gemini.greenleader.xyz

    --- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
    * Origin: 2o fOr beeRS bbS >> 20ForBeers.com:1337 (700:100/71)
  • From paulie420@700:100/71 to Greenlfc on Thu Sep 15 16:44:30 2022
    but the Qubes guide is here: https://www.buskill.in/qubes-os

    The great thing is using it with a breakaway magnetic cable. Your
    laptop is snatched (or you struggle) and it's locked or shut down (I
    would do both - lock it and run the poweroff script immediately after), depending on your script. You could do it with a regular USB stick, you just have to be more mindful when you get jumped, whether it's normal thugs or thugs with badges.

    Yea, I got some of the same ideas after l00king at the buskill project. I didn't see where I could use it w/ my own USB drive, but I'll p0ke around again.

    For me, a keymap is 'good enough', but it might be neat to have both that and an option to trigger by removing a USB device.

    Pretty neat. Also, you just gave me the idea that instead of me ONLY running 'poweroff', to lock the system first. Lock, then poweroff - I think for my needs those will work well together.



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
    * Origin: 2o fOr beeRS bbS >> 20ForBeers.com:1337 (700:100/71)
  • From Greenlfc@700:100/71 to paulie420 on Fri Sep 16 10:41:59 2022
    On 15 Sep 2022, paulie420 said the following...

    Yea, I got some of the same ideas after l00king at the buskill project. I didn't see where I could use it w/ my own USB drive, but I'll p0ke around again.

    Basically you need to configure Linux to run your shutdown script when a USB event (unplugging your device) takes place.

    GreenLFC º e> greenleaderfanclub@protonmail.com
    Infosec / Ham / Retro º masto> GLFC@mstdn.starnix.network
    Avoids Politics on BBS º gem> gemini.greenleader.xyz

    --- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
    * Origin: 2o fOr beeRS bbS >> 20ForBeers.com:1337 (700:100/71)
  • From paulie420@700:100/71 to Greenlfc on Fri Sep 16 17:35:37 2022
    Basically you need to configure Linux to run your shutdown script when a USB event (unplugging your device) takes place.

    Yes, I've been digging in to just that since yer p0st. :P I'm seeing how I can test for a certain USB key, too.

    In fact, I think I'm long overdue for a YubiKey - and maybe I could tie that into the LUKS for both unlocking and shutdown. I'm going down a rabbit hole, and am pretty happy with the level of security I'm w0rking at.

    Thx.



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
    * Origin: 2o fOr beeRS bbS >> 20ForBeers.com:1337 (700:100/71)