Text only | Text with Images

Olimex Support Forum

Others => TERES DIY Laptop => Topic started by: teres_user12 on April 26, 2018, 07:55:25 PM

Title: Teres Full Disk Encryption
Post by: teres_user12 on April 26, 2018, 07:55:25 PM
I enjoy teres a lot but how can I increase physical security with full disk encryption? Thank you so much
Title: Re: Teres Full Disk Encryption
Post by: khumarahn on April 29, 2018, 11:01:27 PM
I am also interested. Of course, encryption will slow down already slow Teres, but it may be important.

I have set up a luks container for the root filesystem and built the initrd with cryptsetup support... The only missing thing is I don't know how to ask for the passphrase on boot, while still in the initramfs. I need to access the keyboard and the console somehow. Does anyone know?
Title: Re: Teres Full Disk Encryption
Post by: lambda on May 02, 2018, 01:09:11 AM
Maybe the following page is interesting:

http://sunxi.montjoie.ovh/

As for getting keyboard input in initramfs - I suppose it is only necessary to add all the necessary modules for usb input devices (and probably screen output too) the initrd.

HTH,
Harald
Title: Re: Teres Full Disk Encryption
Post by: alexi on May 14, 2018, 01:04:11 AM
Raspbian has Veracrypt which is continuation of Truecrypt does veracrypt make sense to teres?

How does boot decryption work on arm which isn't have something like grub? thank you
Title: Re: Teres Full Disk Encryption
Post by: JohnS on May 14, 2018, 10:04:08 AM
grub is available for and commonly used on ARM.

John
Title: Re: Teres Full Disk Encryption
Post by: khumarahn on May 16, 2018, 06:10:26 PM
I had a free evening and looked at this again.

I built a proof of concept image with root filesystem in a luks container:
https://github.com/khumarahn/teres1-gentoo/blob/master/teres-gentoo-encrypted-20180516.img.torrent?raw=true
All the passwords are "olimex".

Regular images I can compress to less than 1GB, but this one is hard to compress because it is encrypted. So it is an 8GB download.

After I made myself a debugging cable, things went quickly. It was very straightforward to move the root filesystem to a luks encrypted container. To figure out how to unlock the container at boot, I had to read and experiment.

Briefly, this is what worked:
* compile a static version of cryptsetup with kernel as a crypto backend; add it to initramfs
* add the display module to initramfs, also modprobe disp in init
* change init to ask for password on tty1 and unlock the container: https://pastebin.com/EDFwxN1T

It works!!! I am not sure if the encryption is done in the best (safest, fastest) way. Any advice?

My image is as always with gentoo :-) If you want debian or ubuntu, just replace the encrypted partition with a luks container containing the rootfs of your choice. It should work the same.
Title: Re: Teres Full Disk Encryption
Post by: JC on June 01, 2018, 03:20:27 AM
That's awesome.  Thanks for all of your hard work khumarahn!
Text only | Text with Images