Re: [liberationtech] Linux distribution on encrypted USB?

[Moon Jones]

On 12.09.2013 18:12, The Doctor wrote:

For folks that have not yet gone poking around inside a copy of TAILS
installed on a USB key, Moon refers to the contents of the file
filesystem.squashfs


Thank for for the detalied description. Very useful. Myself I did not 
know all that you have written.



like tripwire data, or at least some fingerprints and a file list
to confirm the libs haven't turn against you overnight.


AIDE would be ideal for this, one would think.  It is much more
lightweight than Tripwire, and could be set to run at boot or login time.


I have chosen tripwire because of its «quite obvious» name. But AIDE 
looks like a better solution.



TAILS does seem to be somewhat problematic in this respect.  For
example, I tried to install a couple of Firefox plugins that I find
very useful (Scrapbook and Calomel-SSL, if anyone is interested) and
they didn't persist across reboots.  A little irritating, but perhaps
it's for the best.


That's pretty much the answer Tails should not be used as a regular 
distro. That and Intrigieri's point: before modifying Tails one should 
know more both about Tails and Debian.



I was thinking for my everyday system portable from one computer
to another without touching the installed hard drive. The config
is different. And I'm afraid to break stuff.


This makes me wonder just how much abuse TAILS can really take before
it breaks down...


Tails is good at what it does. But it's not an universal solution. 
Poking around distrowatch again I find it discouraging how much junk 
there is. Maybe hundreds of repacks of nvidia and ati/amd proprietary 
drivers labeled as «ease of use» and almost nothing on privacy. Than, if 
people would be interested in privacy there won't be a Snowden talk.

--
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[Moon Jones]

On 12.09.2013 08:54, Brad Beckett wrote:

Use a Live USB distro with LOK-IT encrypted flash drives. All crypto and
authentication is handed on the drive itself...therefor bootable and
works on any OS:


I could not find any refference. Only a lot of marketing talk.

1. Which software is used? Is it public reviewable?
2. Which chips are used? Are they reviewed?

It's looks like a rather closed solution.

--
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[Maxim Kammerer]

On Thu, Sep 12, 2013 at 7:12 PM, The Doctor  wrote:
> It is worth noting that, if an unprivileged user can list the contents
> of the file, an unprivileged user (an attacker) can potentially unpack
> the contents of the file, tamper with them, and then repack them.  I
> do not know if there are any measures to detect alteration of this
> file when TAILS boots, I haven't taken the time to go poking around
> inside the initrd.img or initrd2.img files (used by the kernel when
> TAILS boots) to see if there is anything of that sort.  A cursory
> examination of the contents of the syslinux/ directory does not show
> anything of that sort.

Use Liberté if you want the real thing — a trusted boot chain.
http://dee.su/liberte-security

Current version verifies the SquashFS image in initramfs, but the next
version will use dm-verity to remove that small delay.
https://code.google.com/p/cryptsetup/wiki/DMVerity

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[The Doctor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/11/2013 03:20 PM, Moon Jones wrote:

> one large encrypted space. So the packs added are put inside the 
> encrypted drive. I'd say the libs and executables are fine out in
> clear,

For folks that have not yet gone poking around inside a copy of TAILS
installed on a USB key, Moon refers to the contents of the file
filesystem.squashfs, which contains the guts of TAILS (the Debian
install and basic configuration files).  You can list the contents of
it with the following command:

[drwho@windbringer live]$ unsquashfs -ls filesystem.squashfs | less

It is worth noting that, if an unprivileged user can list the contents
of the file, an unprivileged user (an attacker) can potentially unpack
the contents of the file, tamper with them, and then repack them.  I
do not know if there are any measures to detect alteration of this
file when TAILS boots, I haven't taken the time to go poking around
inside the initrd.img or initrd2.img files (used by the kernel when
TAILS boots) to see if there is anything of that sort.  A cursory
examination of the contents of the syslinux/ directory does not show
anything of that sort.

> but the configs should be on the encrypted drive. Along with
> something

Some of the system's configuration are.  If the user runs `apt-get
update` on a running copy of TAILS, the data will be stored in the
encrypted partition in the apt/ directory.  CLAWS configs are stored
in claws-mail/.  The live-persistence.conf file has me somewhat
curious; it is a text file which maps directories in the running
system to subdirectories of the encrypted partition.  For example:

/home/amnesia/Persistentsource=Persistent

Where "source=Persistent" seems to reference a directory called
Persistent/ in the root of the encrypted partition.  It seems possible
that one could edit this file to add additional lines to this file
which would cause some number of files in other directories to be kept
here instead (/etc, perhaps).  I haven't tried this, but it seems like
a useful experiment to carry out.  A little poking around on the TAILS
website did not reveal anything specific to that file, but I didn't
look terribly hard.

> like tripwire data, or at least some fingerprints and a file list
> to confirm the libs haven't turn against you overnight.

AIDE would be ideal for this, one would think.  It is much more
lightweight than Tripwire, and could be set to run at boot or login time.

> Yes. I did the same upgrade and it worked in an instant. I was so
> happy everything was ok. If I recall well, only three upgrades can
> be done, than I'll have to migrate the data by hand. Anyway, going
> from 0.19 to

Was this experience, or is it documented anywhere?

> Only that on an older than Tails 0.17 I fired up Synaptic and did
> some «cleanup», removing everything I did not want. Than I put some
> software I needed. And in the end I have broken the whole distro. I
> did nothing exotic. I have not add foreign repositories. And it did
> not work. So I'm trying to avoid customising Tails for every day
> use.

TAILS does seem to be somewhat problematic in this respect.  For
example, I tried to install a couple of Firefox plugins that I find
very useful (Scrapbook and Calomel-SSL, if anyone is interested) and
they didn't persist across reboots.  A little irritating, but perhaps
it's for the best.

> I was thinking for my everyday system portable from one computer
> to another without touching the installed hard drive. The config
> is different. And I'm afraid to break stuff.

This makes me wonder just how much abuse TAILS can really take before
it breaks down...

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"No other race in the universe goes camping.  Celebrate your
uniqueness." --Jack Harkness

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIx5+sACgkQO9j/K4B7F8FfGgCdENnIdiRkXuDLFHvjP/kDLdRs
bp4An3A+keDdMDUyiK6VALoG8EYomJtM
=byVf
-END PGP SIGNATURE-
-- 
Liberationtech is public & archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[Brad Beckett]

Use a Live USB distro with LOK-IT encrypted flash drives. All crypto and
authentication is handed on the drive itself...therefor bootable and works
on any OS: http://www.lok-it.net


On Tue, Sep 10, 2013 at 5:41 AM, Moon Jones wrote:

> A portable distribution on an encrypted stick.
>
> In the end, I think only an USB hard drive can offer that, because of the
> way memory locations are handled by flash media.
>
> But is it feasable to have a two device solution? Media1 has the /boot but
> Media2 has the strong key. Media1 boots, prompts, than mounts Media2, takes
> the key, unmounts Media2 prompting and goes ahead with the boot without
> touching the other drives.
>
> Are these doable? Are they already made?
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/**mailman/listinfo/**liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> compa...@stanford.edu.
>
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[intrigeri]

Hi,

Moon Jones wrote (11 Sep 2013 19:20:30 GMT) :
> Yes. I did the same upgrade and it worked in an instant. I was so happy 
> everything
> was ok. If I recall well, only three upgrades can be done, than I'll have to 
> migrate
> the data by hand.

This (or something similar) will be correct once we deploy incremental
upgrades in the wild (presumably by the end of the year). Until then,
Tails does full system upgrades while preserving user persistent data;
so, there is no such limit yet.

> So I'm trying to avoid customising Tails for every day use.

This would be my advice in general, unless one has good understanding
of the Tails design (and of Debian, and of [...]) and can guess what
the actual consequences of a change would be. I suspect that having
one's changes merged into mainline Tails may be the best strategy,
when it's relevant.

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[Moon Jones]

On 11.09.2013 19:03, The Doctor wrote:

On 09/11/2013 02:33 AM, Moon Jones wrote:

Yes, Tails seems to be the solution here as well. It has a very
elegant way of handling this with its encrypted storage. But, in
this case, it's rather limited upgrade-wise.


In what sense?


Tails is wonderfuly maid for its purpose. On the outside all drives look 
the same. Same space for the distribution and upgrades and the rest is 
one large encrypted space. So the packs added are put inside the 
encrypted drive. I'd say the libs and executables are fine out in clear, 
but the configs should be on the encrypted drive. Along with something 
like tripwire data, or at least some fingerprints and a file list to 
confirm the libs haven't turn against you overnight.



At least insofar as being able to access the encrypted storage
partition of a USB install of TAILS is concerned, so long as you don't
repartition the device it should just work.  I've tested this a few
times (upgrading a USB key from TAILS v0.19 to TAILS v0.20) and the
data's been accessible every time.


Yes. I did the same upgrade and it worked in an instant. I was so happy 
everything was ok. If I recall well, only three upgrades can be done, 
than I'll have to migrate the data by hand. Anyway, going from 0.19 to 
0.20 cured some unexplained hangups that persist in Debian 7.0 and 7.0.1.


Only that on an older than Tails 0.17 I fired up Synaptic and did some 
«cleanup», removing everything I did not want. Than I put some software 
I needed. And in the end I have broken the whole distro. I did nothing 
exotic. I have not add foreign repositories. And it did not work. So I'm 
trying to avoid customising Tails for every day use.



Were you referring to something else (namely, potentially needing to
repartition the device if the distro grows too large to be accomodated
by previous installs)?


I was thinking for my everyday system portable from one computer to 
another without touching the installed hard drive. The config is 
different. And I'm afraid to break stuff.

--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[The Doctor]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/11/2013 02:33 AM, Moon Jones wrote:

> Yes, Tails seems to be the solution here as well. It has a very
> elegant way of handling this with its encrypted storage. But, in
> this case, it's rather limited upgrade-wise.

In what sense?

At least insofar as being able to access the encrypted storage
partition of a USB install of TAILS is concerned, so long as you don't
repartition the device it should just work.  I've tested this a few
times (upgrading a USB key from TAILS v0.19 to TAILS v0.20) and the
data's been accessible every time.

Were you referring to something else (namely, potentially needing to
repartition the device if the distro grows too large to be accomodated
by previous installs)?

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

END OF LINE

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIwokgACgkQO9j/K4B7F8GM1wCfRd3w/Aqe0bHz8LrPZrO48vht
fRUAoLM69KhnFWBf1iQgnpv8XwILG74k
=P5Ve
-END PGP SIGNATURE-
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[carlo von lynX]

On Tue, Sep 10, 2013 at 02:41:24PM +0200, Moon Jones wrote:
> A portable distribution on an encrypted stick.

I know of two distributions that do this.. one is TAILS and
the one I prefer is liberte linux.. and the guy who does it
is even on this list.

> But is it feasable to have a two device solution? Media1 has the
> /boot but Media2 has the strong key. Media1 boots, prompts, than
> mounts Media2, takes the key, unmounts Media2 prompting and goes
> ahead with the boot without touching the other drives.

You boot from the stick, then mount the encrypted harddrive
with your pass phrase. The laptop as such is thus no longer
a source of danger without the stick. Best of all, if you
unplug the stick the system wipes its memory and shuts down.
Both systems work this way.

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[Moon Jones]

On 10.09.2013 17:58, Griffin Boyce wrote:

   I don't think it's particularly feasible without .  Something that
works currently is using a laptop without a hard drive, a USB with TAILS
or Whonix, and another (encrypted) USB with your critical files on it.


Yes, Tails seems to be the solution here as well. It has a very elegant 
way of handling this with its encrypted storage. But, in this case, it's 
rather limited upgrade-wise.

--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Linux distribution on encrypted USB?

[Griffin Boyce]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/10/2013 08:41 AM, Moon Jones wrote:
> A portable distribution on an encrypted stick.
>
> In the end, I think only an USB hard drive can offer that, because of
the way memory locations are handled by flash media.
>
> But is it feasable to have a two device solution? Media1 has the /boot
but Media2 has the strong key. Media1 boots, prompts, than mounts
Media2, takes the key, unmounts Media2 prompting and goes ahead with the
boot without touching the other drives.
>
> Are these doable? Are they already made?

  I don't think it's particularly feasible without .  Something that
works currently is using a laptop without a hard drive, a USB with TAILS
or Whonix, and another (encrypted) USB with your critical files on it.

~Griffin

- -- 
"Cypherpunks write code not flame wars." --Jurre van Bergen
#Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de

My posts are my own, not my employer's.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJSL0G2AAoJEOMx/SmueSyX370P/2+tdqHq0daUT5J9uN4+7SaR
6K+uBEfJER9KM+kiL+lX2pRDInrIxWKDt5+JLDLrUNIv8Lj45rv6Z8bqW2llsSXf
qneISRJMA6Iphx0uzNo051l1p7ofG1tsKQLY0SloDKKHpxb461ff6lWAqq3Ta+rR
JcjnkGf9FO35Bet4jJDObRjTpqNVHZVEAcdpg3SAX00g2NA8scpWQ0NAA7jf1e90
fzgUu2jvz6VkbuuwtArBari0hgJ2YWy5PPNPkzL/53/kfG6W9iZjkC1mjnW19aMd
8cyGyoRo0SDGrtr59VQGfToIDBbb3AvlSjt/lTWPHqSD7YdDFWnz6C9FvBcDBrJ1
C+UFspWtBJzZMpMb9gpZjWdel3Vu8fRSX/kscrNkhpo+/28jt9WJ4+hfHEsUzdJf
uZCvwxiVz6iojUSBzF85qVOD8maGI/Q55/H+pMNPMuxCckSQytDIBAyoDJ0GBVll
K9/wPcmaV2gPi0TLMQm6n26ZWzYlzNuqs5cdSdrPpiIQiUAhtwpQMcQXxgWsKQA6
4m1pp488kDSbe9Fj18HwF9rDwby3wPTwYbMUNTQ1gOyM/y5+Ixzlt1g3tJk9IAaC
APh2PVeZFGiIsboM/DvUhM4SjXj5HM/NqBro4Y8MrEEJuPR4IBtiQ/lHyapEb/yt
11YmFZFBufL75y7fUrDH
=dGFW
-END PGP SIGNATURE-

-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] Linux distribution on encrypted USB?

[Moon Jones]

A portable distribution on an encrypted stick.

In the end, I think only an USB hard drive can offer that, because of 
the way memory locations are handled by flash media.


But is it feasable to have a two device solution? Media1 has the /boot 
but Media2 has the strong key. Media1 boots, prompts, than mounts 
Media2, takes the key, unmounts Media2 prompting and goes ahead with the 
boot without touching the other drives.


Are these doable? Are they already made?
--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.