SoylentNews is people
SoylentNews
from the another-thing-for-your-key-ring dept.
The Librem Key is an OpenPGP smart card supporting up to 4096-bit RSA keys and 512-bit ECC keys. These keys are intended to be used as basic security token functions -- they will work with any laptop/PC but reportedly offer extra features when paired with Librem laptops or devices supporting the Heads security firmware.
https://www.phoronix.com/scan.php?page=news_item&px=Purism-Librem-Key
In addition to the standard features of a security token (GPG key storage and multi-factor authentication) that the Librem Key can perform on any computer, here are some of the interesting integration options with our Librem laptops we are already looking into with the Librem Key that will make security much more convenient for users who are facing average threats:
- Insert the Librem Key at boot and automatically decrypt your hard drive
- Automatically lock your laptop whenever you remove the Librem Key
- Use your Librem Key to log in
https://puri.sm/posts/introducing-the-librem-key/
(Score: 4, Interesting) by pvanhoof on Tuesday September 25 2018, @09:48PM (3 children)
So they basically do ~ this [howtoforge.com]?
CRYPTROOT=target=sda2_crypt,source=/dev/disk/by-label/Librem_Key in /etc/initramfs-tools/conf.d/cryptroot
sda2_crypt dev/disk/by-label/Librem_Key none luks,keyscript=/usr/local/sbin/unlocklukskey.sh in /etc/crypttab
Locking my laptop when I take out the USB stick is quite a good idea against Evil Maid attacks. However. It should also unmount my encrypted /home after somehow freezing all my user's processes and their filedescriptor usage for files within /home, and then somehow dehibernate them after remount once I plug in the USB stick.
Anything that keeps the luks encryption key in memory (which is precisely what keeping the encrypted volumes mounted will do, no matter if you take out the USB stick or not) is going to even let recently hired youngsters with basic infosec training of my country's secret services (Belgium) to Evil Maid me completely. Almost certain that they'll just copy all the RAM somehow and fish the keys out of it in the blink of an eye.
Also important is that this setup will survive a apt-get dist-upgrade with kernel upgrades and constant initrd regenerating. Would be nice to have all this well supported by the people who maintain the distribution. Some amount of security is nice. But for the real serious stuff it will (or would) be TAILS anyway.. In which case I might as well store all important data (encrypted) on the same USB stick that with this Librem Key contains the keys anyway (and then boot Tails from RO media like a cdrom).
(Score: 2) by DannyB on Wednesday September 26 2018, @01:37PM (2 children)
But wait . . . all the computers seem to have their USB ports filled with hot glue.
So on one hand, computers should not have any available USB ports, for security.
On the other hand, computers should use security tokens that plug into USB.
This doesn't leave any hands free for, oh, nevermind.
(well, I hope that hot white sticky stuff in the USB ports is glue. But what would that say about the size of, oh, nevermind.)
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by pvanhoof on Wednesday September 26 2018, @05:32PM (1 child)
Well I actually use a MicroSD card for my disk encryption luks keys. I figured that a USB device has a active component that has DMA access. So if my USB stick would get infected by malicious code (a so called BadUSB thingy) then I don't need to use it to get my LVM disk volumes mounted. I don't think MicroSD has its own CPU (like USB sticks do). Similarly I could have used a good old 3'14 diskette, but the laptop no longer comes with such hardware (and it's too much of a hassle to get it installed). Same for CDROM (although that's more easy).
As for xkcd.com/538, I have simply removed the passphrase luks key (you can indeed do this with luks, and be left only with the key on external media). So even if they torture me with a $5 wrench, without the MicroSD card there is no possibility of mounting my encrypted LVM volumes (I of course have backups of my data at home and/or at some safe place).
But of course, I fully realize that taking out the MicroSD card and leaving my laptop unattended will not help me against a Evil Maid attack where they basically make a HW copy of the RAM modules.
(Score: 2) by DannyB on Wednesday September 26 2018, @06:21PM
I keep my passphrase secret by wearing the t-shirt inside out.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 3, Interesting) by MostCynical on Tuesday September 25 2018, @09:50PM (3 children)
Librem key $59 (USD)
Nitro Key Pro 2 [nitrokey.com] €49
So almost the same price.
Can't immediately tell how they are different (apart from the branding)
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Tuesday September 25 2018, @09:58PM
Couldn't we cobble together an open source version of this with a cheap commodity sd card/usb stick?
(Score: 3, Interesting) by stormwyrm on Tuesday September 25 2018, @10:49PM (1 child)
From the Purism link [puri.sm]:
So I suppose it is a Nitrokey. It's said to be fully open hardware, with all design documents available, and all of the firmware is Free, with no binary blobs or anything like that. If you had the time and the resources you could make your own. Dunno if that's also true of Nitrokeys in general.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by jmorris on Wednesday September 26 2018, @02:28AM
Yup. Look at the Nitrokey link, it IS the same thing, Nitro's product even says it also unlocks a Purism laptop. Looks like they worked on it together and will both be selling it with different logos silk screened onto the case.
And for all the Open Source happy talk, neither says what sort of hardware is in the device, nor do they link to a repo with the firrmware source. If you keep digging you can find the info on the original Nitrokey but nothing on the Nitrokey2 being discussed here. Assume they will eventually correct the oversight?
(Score: 3, Funny) by Anonymous Coward on Tuesday September 25 2018, @10:17PM (1 child)
When it comes to security, I only trust Microsoft.
(Score: 2) by DannyB on Wednesday September 26 2018, @01:52PM
I only trust Microsoft when running on a secure processor with the Intel Management Engine and speculative execution vulnerabilities.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by c0lo on Tuesday September 25 2018, @10:27PM (6 children)
Great news for US border officers and justice: with a physical key, fuck that pesky 5th
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by stormwyrm on Tuesday September 25 2018, @10:53PM (5 children)
FTA:
There is still some kind of PIN, so you can still plead the Fifth even with something like this.
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by c0lo on Tuesday September 25 2018, @11:41PM (3 children)
Thanks for the info - obviously, I didn't RTFA
How much entropy in that PIN? Any brute-force countermeasures?
(Obviously, I don't intend to RTFA :) )
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1, Interesting) by Anonymous Coward on Tuesday September 25 2018, @11:50PM
Typically, the idea of these devices is that the secrets are known only to the device, they include some modicum of physical tamper protection, and self-destruct on any failure. Usually that includes failing to correctly the PIN more than a certain number of times consecutively.
This is essentially the same idea as chip & pin credit cards.
(Score: 1, Interesting) by Anonymous Coward on Wednesday September 26 2018, @12:35AM (1 child)
(Score: 1, Touché) by Anonymous Coward on Wednesday September 26 2018, @06:10AM
Like cloning the memory and resetting after it gets wiped? [mcafee.com]
(Score: 2) by DannyB on Wednesday September 26 2018, @01:56PM
If I'm going to use two of the three factors, my preference would be:
1. something I have (the USB key)
2. something I am (my retina scan)
That is much more convenient.
. . . both for me and for border security / TSA. All they need is my USB key and my eyeball.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.