From 41f92b50dcd38aedafe64c4f6aae5fe8c2caaa5a Mon Sep 17 00:00:00 2001 From: samsepi0l <74207682+d4rklynk@users.noreply.github.com> Date: Mon, 26 Dec 2022 14:47:49 +0100 Subject: [PATCH 1/3] Add TPM Signed-off-by: samsepi0l <74207682+d4rklynk@users.noreply.github.com> --- .../posts/linux/Desktop-Linux-Hardening.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/content/posts/linux/Desktop-Linux-Hardening.md b/content/posts/linux/Desktop-Linux-Hardening.md index 7befecf..258eacd 100644 --- a/content/posts/linux/Desktop-Linux-Hardening.md +++ b/content/posts/linux/Desktop-Linux-Hardening.md @@ -21,6 +21,59 @@ Some of the sections will include mentions of unofficial builds of packages like Most Linux distributions have an option within its installer for enabling LUKS full disk encryption. If this option isn’t set at installation time, you will have to backup your data and re-install, as encryption is applied after [disk partitioning](https://en.wikipedia.org/wiki/Disk_partitioning) but before [filesystem](https://en.wikipedia.org/wiki/File_system) creation. +### TPM enrollment + +If you have a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) chip in your computer, you can use it in addition with LUKS. + +A full guide how to install is available in this [gist](https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95) or in [Arch's documentation](https://wiki.archlinux.org/title/Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS). + +Check if you have TPM available : +``` +# systemd-cryptenroll --tpm2-device=list +``` + +You must have Secure Boot enabled, to check so : +``` +# mokutil --sb-state +``` +If it's set to "Disabled", you need to enable it in the UEFI firmware. + +Check your encrypted volumes : +``` +# blkid -t TYPE=crypto_LUKS +``` + +Then, you can finally enroll your encrypted volumes : +``` +# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/sdX +``` + +Replace sdX with the right volume. + +If you have several volumes, you can redo the command with the right volume, etc. + +Finally, edit `/etc/crypttab` and add at the end of each line `tpm2-device=auto,discard`, like so : + +`luks-014aa5a6-a007-11ec-a054-7c10c93c41b1 UUID=0818cd36-a007-11ec-aaab-7c10c93c41b1 - tpm2-device=auto,discard` + +Then, edit `/etc/default/grub` and add `rd.luks.options=tpm2-device=auto` in `GRUB_CMDLINE_LINUX` + +You can optionally generate a recovery key : +``` +# systemd-cryptenroll --recovery-key /dev/sdX +``` + +Check and reboot : +``` +# systemd-cryptenroll /dev/sdX +SLOT TYPE + 0 password + 1 tpm2 + 2 recovery +``` + +Note that with secure boot enabled, you should manually sign your NVidia drivers with [akmod](https://github.com/larsks/akmod-sign-modules). + ### Encrypted Swap Consider using [encrypted swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) or [ZRAM](https://wiki.archlinux.org/title/Swap#zram-generator) instead of unencrypted swap to avoid potential security issues with sensitive data being pushed to [swap space](https://en.wikipedia.org/wiki/Memory_paging). While ZRAM can be set up post-installation, if you want to use encrypted swap, you should set it up while partitioning your drive. From 352c360b689e72ae3dc27cf830cd1c29b6f6cb56 Mon Sep 17 00:00:00 2001 From: samsepi0l <74207682+d4rklynk@users.noreply.github.com> Date: Thu, 29 Dec 2022 16:27:13 +0100 Subject: [PATCH 2/3] Add TPM PIN Signed-off-by: samsepi0l <74207682+d4rklynk@users.noreply.github.com> --- content/posts/linux/Desktop-Linux-Hardening.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop-Linux-Hardening.md b/content/posts/linux/Desktop-Linux-Hardening.md index 258eacd..900d722 100644 --- a/content/posts/linux/Desktop-Linux-Hardening.md +++ b/content/posts/linux/Desktop-Linux-Hardening.md @@ -45,7 +45,7 @@ Check your encrypted volumes : Then, you can finally enroll your encrypted volumes : ``` -# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/sdX +# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/sdX --tpm2-with-pin=yes ``` Replace sdX with the right volume. @@ -72,6 +72,8 @@ SLOT TYPE 2 recovery ``` +When booting, it will ask you the password for LUKS, then the TPM2 PIN. + Note that with secure boot enabled, you should manually sign your NVidia drivers with [akmod](https://github.com/larsks/akmod-sign-modules). ### Encrypted Swap From 5f28aa6b767c500c87d42d01acddd0a26b30159e Mon Sep 17 00:00:00 2001 From: samsepi0l <74207682+d4rklynk@users.noreply.github.com> Date: Thu, 29 Dec 2022 16:32:04 +0100 Subject: [PATCH 3/3] Update Desktop-Linux-Hardening.md Signed-off-by: samsepi0l <74207682+d4rklynk@users.noreply.github.com> --- content/posts/linux/Desktop-Linux-Hardening.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/posts/linux/Desktop-Linux-Hardening.md b/content/posts/linux/Desktop-Linux-Hardening.md index 900d722..ca5f516 100644 --- a/content/posts/linux/Desktop-Linux-Hardening.md +++ b/content/posts/linux/Desktop-Linux-Hardening.md @@ -50,6 +50,9 @@ Then, you can finally enroll your encrypted volumes : Replace sdX with the right volume. +It will ask you the passphrase (you have previously chosen with LUKS) then it will prompt you a PIN for TPM. +The PIN should be **different** from the LUKS passphrase. + If you have several volumes, you can redo the command with the right volume, etc. Finally, edit `/etc/crypttab` and add at the end of each line `tpm2-device=auto,discard`, like so :