User talk:Aruslantsev/Laptop secure setup
Before creating a discussion or leaving a comment, please read about using talk pages. To create a new discussion, click here. Comments on an existing discussion should be signed using
~~~~
:
A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC) : A reply [[User:Sally|Sally]] 14:41, 5 November 2024 (UTC) :: Your reply ~~~~
Some questions
If somebody gets tour laptop and wants to install new system, he can’t change the boot device and disable Secureboot because of UEFI password
I always thought Secure boot only protects against malware (and malicious flash drives), not physical interaction. If someone has physical access, they can just re-flash the BIOS chip and do whatever they want to the system without the owner knowing.
- You are right. Now only Apple provides the option that device can't be easily re-flashed. Secureboot + UEFI password will make life of a thief a bit harder.
The size of UEFI boot partition is 1GiB
Is 1 GiB really required? My kernel is only 16 MiB and includes all modules, blobs, custom initramfs.
- Added note. 256MiB usually enough.
LVM on LUKS
I understand this is your personal article, but LVM is not needed in this whole scheme.
- Yes, I wrote that it is not the official guide and this scheme is convenient for me. And now I added a note, than any filesystem can be used there.
Kernel does not consider swap on lvm on luks as encrypted partition, so suspend to disk without disabled lockdown is not possible
What does "disabled lockdown" mean?
- Will add some information when I will recompile kernel
If the device that supports TRIM command (modern SSD, NVMe) is used, it may be a good idea to enable trim for your partition. But it may be a bit less safe. The partition should be opened first.
The partition does not need to be opened. Arguments can be set during the opening process:
root #
cryptsetup --allow-discards --persistent open /dev/nvme0n1p2 cryptlvm
- Thank you. Did not find this in the documentation.
On modern CPUs AES is hardware accelerated, that's why AES-XTS is fastest. AES-XTS with 512b key is chosen.
aes-cbc
also belongs to AES, it is slower in encryption than aes-xts
but faster in decryption, so the logical connective X belongs to AES -> X is fastest
cannot be applied as there are other factors. If Caesar's cipher was on the list and it was the fastest, would it be chosen as the best? Even with the acceleration, there are non-AES algorithms that are faster, such as ChaCha20
(yes, it is designed for authentication, but it still faster than aes-gcm
which is designed for the same purpose). There are a lot of AES modes, the benchmark shows only two.
- Ugh... I am not sure that I am able to make a good explanation in my native language... And I think that all this information should be mentioned in Dm-crypt.
AES-XTS with 512b key is chosen
I think it should be noted that the actual key length will be 256, since aes-xts
requires two keys, so cryptsetup
simply divides the provided key length in half.
root #
cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random --type luks2 luksFormat /dev/nvme0n1p2
- That is mentioned in Dm-crypt.
--iter-time 5000
and --use-random
need to be explained.
- Again, I am not sure that I can make a good explanation in my native language. I hope, that I will do it later
--Lars Hint (talk) 11:31, 26 July 2024 (UTC)
- Aruslantsev (talk) 08:05, 17 August 2024 (UTC)
- Thank you for replying. If it is easier for you to express your thoughts in Russian, I don't mind, since Russian is my mother tongue. Feel free to write in Russian. :)
- Anyway, there is another issue that needs clarification:
it may be a good idea to enable trim for your partition. But it may be a bit less safe.
- TRIM leaks information about file sizes [1], which means it can be used to prove the existence of files of known size on the disk. This is crucial in the case of piracy or other illegal content. Also, there are countries with censorship, so reading a certain book can result in imprisonment or execution. So if something can lead to the death penalty, I don't think it should be labeled "a bit less safe". --Lars Hint (talk) 17:40, 17 August 2024 (UTC)