Comment by wildbus8979@sh.itjust.works on Question: is systemd-homed ready for everyday use yet?

Hi! I want to try out fedora workstation in the near future (once 39 is out) and was wondering if systemd-homed is ready for everyday use yet.

I’m a bit paranoid and really need my private data encrypted. However, I don’t think that full disk encryption is practical for my daily use. Therefore I was really looking forward to the encryption possibilities of systemd-homed.

However, after reading up on it, I was a bit discouraged. AFAIK, there’s no option to setup systemd-homed at installation (of fedora). I was an Arch then Manjaro, then Endeavour user for years but don’t have the time/patience anymore to configure major parrts of my system anymore. Also, the documentation doesn’t seem too noob-friendly to me, which also plays into the time/patience argument.

Is it ready? Can anyone seriously recommend it for a lazy ex-Arch user who doesn’t want to break another linux installation?

Thank you in advance. :)

To go back to basics, why is FDE not suitable for your needs?

Simple convenience. I usually don’t have the time to wait one or two minutes until my full disk is decrypted (I am often late and the only person in a group meeting who brought a laptop for taking minutes).

I also use a weird keyboard layout (Neo 2) and I never got grub to load with that layout. Typing a 40+ passphrase in QWRETZ is just cumbersome to me.

Also: I hate to admit it, but I am a bit vain and simply would like a nice gui for entering my password.

Edit: I forgot to add that I’m playing with the idea of getting a surface tablet and installing linux on it. Then I couldn’t count on awlays having a usb keyboard with me.

Would a FDE with FIDO2 hardware key meet your needs?

I don’t think so. There’s a high likelihood of both laptop and key ending in the same hands if the laptop is stolen.

The concept of hardware key is precisely to be removed as soon as you are not in front of the device.

In my case, I’m using one this way. It is tethered to myself with a metal chain, so as soon as I’m not in front of my computer, they are separated and my sensitive data protected. Of course it won’t prevent someone from threatening to harm me in order to get access to said key, but he might as well do the same to get access to any kind of password.

Keys can be confiscated. But in most juristicions you can’t legally be forced to give up a password.

Please take the threat modelling of other people seriously without second guessing it. If people explain openly why they have a certain threat model, I might already give them away to potential attackers.

Unfortunately I’m in one of those jurisdiction where you have to give password if asked by a competent authority (France). If confiscation during transit is a threat in any place I go, my FIDO2 key take another route than I do.

You can setup FDE that utilizes TPM like Windows does with bitlocker, in such a way that your backup phrase is only necessary if something about your hardware changes.

Last I set it up however, there wasn’t any easy/automatic way. Searching “luks TPM” should get you started.

I need more than data security at rest. Reading out the keys from ram is well within my threat model.

Haha are you serious? In that case nothing short of full disk encryption and secure boot with your own keys is remotely adequate. Do you realize, that just encrypting your /home is at most a mild obscurity measure? If an attacker has potentially access to your computer and parts of it are unencrypted or unsigned, they could easily install a keylogger that sends out your data and/or password the next time you use your computer?!

If your situation is not just a psychological case of paranoia, but a real threat, then you absolutely need to work on your security knowledge a good amount!

I don’t really hppreciate your tone. Could you be a little less of a dick, please?

Keyloggers aren’t in my threat model (i.e.: they aren’t in the MO of my potential attackers).

In that case systemd won’t help you either.

Care to elaborate why? I thought that systemd can encrypt your home partition when locking your device.

I have a LUKS-encrypted laptop (1GB SSD), it takes about 10 seconds between typing in the password and the start of the boot process.

Good for you. I have the same setup and it feels too slow to me.

I second this.

Full disk encryption is entirely practical for everyday use. If you don’t already have a dedicated TPM, your motherboard/CPU may provide a software TPM (fTPM?). If so, you don’t even have to interact with the machine during boot. It’s just a bit slower to start up (by a few seconds), which really isn’t a big issue for your average user.

Pardon my ignorance here, but I don’t get it how is the whole thing still safe with unlocking from TPM instead of me providing the password at boot time?

Considering now anyone can just boot the machine into the installed system then bruteforce/exploit something to get login/get read permissions and make a plain copy of the data?
Where, without tpm, as long as I do not type in the encryption password myself I have a pretty high guarantee that the data is safe, especially when I am not at the (powered down) computer.

The idea behind it is that the files are stored encrypted at rest, which is really what you want, because once a system is booted, you have to play by the computer’s rules (respect file permissions, policies, etc.).

The TPM provides a secure mechanism to provide a decryption key to the computer during boot, eliminating the need for direct interaction.

Could it be compromised? Probably, but it would take considerably more effort than a man-in-the-middle on your keyboard via a logic analyzer.

This is a common misunderstanding insofar as how encryption works. You can’t flick a bit and TURN your storage unencrypted nor can you plausibly make your computer obey restrictions.

If your storage is encrypted it remains encrypted always including the file you have open right now. Your takes a plausibly length usable string and uses it to compute or retrieve the long binary number actually needed to decrypt your files. This number is stored in memory such that encrypted files can be decrypted when read into memory.

Once that key is loaded in memory anyone with 10 minutes and access to google could trivially unlock your computer in several different ways. It is virtually exactly like having no security whatsoever.

If you don’t actually enter a passphrase to unlock you have no meaningful security against anything but the most casual unmotivated snooping.

Your little sister might not be motivated enough to read your diary but the dipstick that stole your laptop will definitely be spending your money.

Once that key is loaded in memory anyone with 10 minutes and access to google could trivially unlock your computer in several different ways. It is virtually exactly like having no security whatsoever.

I highly doubt it.

If you have any tips for how I can personally bypass my computer’s encryption in 10 minutes without being able to login, I’d love to try my hand at it.

You aren’t actually asking to how to bypass encryption because the key is already in memory. You are asking about the much simpler task of compromising a computer with physical access to same. Depending on configuration this can be as ridiculous as killing the lockscreen process or as hard as physically opening the case chilling the contents of ram enough that data survives transfer to different physical hardware. See also the massive attack surface of the USB stack.

As others explained: If the FDE key is in RAM, I’m vulnerable. My thread model includes a stolen Laptop with the attackers able to freeze my RAM and reading out the keys.

Thank you for mentioning TPM though. Didn’t know of that before. :)

That’s not answering his question.

I’d like to tell you why you get downvoted:

https://en.wikipedia.org/wiki/XY_problem

X Y problems exist. And are fairly common in IT. That’s why it’s a good idea to ask questions like this.

He doesn’t need to explain why he doesn’t like FDE, there are plenty of reasons. Shared device, or maybe 2nd level of encryption, whatever. He already said it wasn’t what he wanted, the why is none of your business. If you can answer his question, do. If you can’t, just say you can’t. His preference is his preference. Now, you going to help the guy or not?

Also, I honestly don’t give a flying f if I get downvoted for telling you what you did wrong. Being in the right is all I need, thanks. Won’t be seeing your reply, blocking you before you try to be more of a smug ass.

Short interception here: I actually appreciate the question. I think I didn’t thoroughly explain what bugged me with FDE. And the X Y problem is something I’d like to be aware of.

The implied problems with FDE might actually not fit my situation or threat model, why I think it was important to elaborate.

Edit: Just thought of it in this way: In this context, I’d rather be asked than have things inferred about me.

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Question: is systemd-homed ready for everyday use yet?

Linux

!linux@lemmy.ml

Rules

Related Communities

Community stats

Community moderators