This is an alternative to manually typing your password to decrypt your home server disks.

The idea is that you have a Tang server somewhere on your local network. When your server boots up, it needs to communicate with the Tang server to unlock the disk. Tang doesn’t store the key and is stateless, but the client requires Tang’s cooperation to compute the key.

For me, I’m thinking about someone breaking into my house and stealing my computer. Currently, I have LUKS read a keyfile from a USB drive… but I almost always leave it plugged in… so a thief would probably accidentally steal that too.

With this setup, I’m thinking maybe I could setup a Pi on the opposite side of my house, ideally hidden. And then if my home server gets stolen, LUKS wouldn’t be able to reach my Tang server, and therefore not unlock anything.

  • Natanox@discuss.tchncs.deEnglish
    72·
    11 hours ago

    The concept sounds interesting. I do wonder how to make this “raid proof” though. Like, how do you make sure the device also becomes unbootable if I̶C̶E̶ ̶F̶a̶s̶c̶i̶s̶t̶s̶ ̶J̶e̶f̶f̶r̶e̶y̶ ̶E̶p̶s̶t̶e̶i̶n̶ ̶Y̶o̶u̶r̶ ̶M̶o̶m̶ ̶F̶r̶o̶n̶t̶e̶x̶ the police comes in and takes both? By now there are dogs able to sniff out PCBs even in walls (apparently they got a distinct smell K9’s can be trained on).

    Does this software by any chance support two servers that both have only a part of the secret? That way you (and/or someone you trust) could deposit a Pi somewhere else and have some way to remotely disable the boot process.

    • rumba@piefed.zipEnglish
      2·
      5 hours ago

      Not sure raidproof exists. If they get there and it’s running, all they need is something that is already connected and can read it, so your surface area is huge. If they know you have things they need, and are aware you are technically competent, They’re just going to disconnect network, leave it running and call in pros. Anything is probably enough to get past local LEO, but if the feds come in, they’re going to get what they want unless you’re rolling your own drivers.

    • FedX@quokk.auEnglish
      2·
      8 hours ago

      Listened to a rather interesting episode of Darknet Diaries the other day about a European cyber crime group. To this day, the FBI has been unable to decrypt the devices. The feds didn’t give too many details about the specifics, but what they did share was quite interesting:

      • Five layers of encryption, each with unique passwords.
      • LUKS root partition presumably tied to TPM2.
      • Veracrypt or truecrypt volumes in userland.
      • A custom-made encryption toolkit.

      From what I gathered, I think the optimal balance of usability and security (especially for a headless machine) would be the following:

      • LUKS root volume tied to TPM to protect against cloning of disk. Also, nothing too valuable ever lives on root.
      • More important data stored behind a FUSE encryption layer like gocryptfs, these can be easily opened remotely. You can also tie the password to data hidden inside the LUKS volume for effective two-password protection if the volume is not already behind a LUKS layer.
      • If your really concerned, add in additional layers as needed. You can tie LUKS to TPM and FIDO, not sure if you can set up a two password mode, but that would be quite nice. You can also (probably) tie FUSE based systems to biometrics like Howdey or fingerprint sensors if you have them. This could also be setup in a kind of two-password mode for a single volume. Realistically, two layers of encryption is overkill, but it’s more about ensuring multiple layers of redundancy rather than making it harder to crack.
      • I can’t recommend systemd because of its numerous security vulnerabilities, but homed does have a neat feature where it will unmount encrypted home volumes when your computer goes to sleep. Not sure how effective or useful it is, but it is a nice feature. Been wanting to see if I can setup something similar on Chimera/Artix with dinit user services.
      • Defiantly set up duress key-codes/panic buttons. Likewise, been wanting to write a clone of swaylock with duress code support, but as far as I know, nothing of the sort exists right now.

      It is also very much worth noting, even though the FBI never got into the hackers’ computers, they had more than enough evidence to convict the lot. Being the defender of a computer system is always a losing battle.