search

linuxboot / heads-wiki

Documentation for the Heads firmware project
84 stars 44 forks source link

Confusion about using USB Security Dongles to decrypt hard drive #86

Open copyvar opened 2 years ago

copyvar commented 2 years ago

As far as I understand, you can use your - for example Nitrokey Pro - to "avoid" typing in the Disk Recovery Key. The Disk Recovery Key is the key used at OS installation for the encrypted root partition (passphrase placed in LUKS keyslot 0). So I can use this key whenever I connect my harddrive to another computer.

For me, it would be logical, if I use my GPG key on my Nitrokey to do some magic to decrypt my harddrive (or decrypt some parts on the TPM which then decrypts my harddrive). It would make sense, if I would need to type in my Nitrokey User PIN to decrypt my harddrive.

Instead I am asked for another password in Heads when I try to set up this. This confuses me.

I read https://osresearch.net/Keys/

(Added for newcomers: The Nitrokey User PIN is - obviously - relatively easy to guess, if brute force methods are available. But the USB Security dongles are actually locking the user out of their User role if 3 bad attempts were made, so it is safe, to use the PIN to unlock/decrypt my harddrive.)

tlaurion commented 2 years ago

@copyvar A lot of back and forth have happened in the goal of improving the wiki in the past on that subject, where your question seems answered in that part (should be merged but was closed by author) https://github.com/osresearch/heads-wiki/pull/76/files#diff-29017719792bd9c9938af6836790ea250cbe08877b37721fb0b2ddd7e7216f56R63-R121

LUKS Disk Recovery Key passphrase is the the one chosen at install: correct. Can be used to decrypt disk on another computer: correct.

The Disk Unlock Key, aka TPM disk encryption passphrase, is local and stored in the TPM, which releases the Key when system is in the right state and was documented under https://github.com/osresearch/heads-wiki/pull/76/files#diff-29017719792bd9c9938af6836790ea250cbe08877b37721fb0b2ddd7e7216f56R63-R121

Unlocking the Disk encrypted container with GPG PINs is possible and was documented there, and requires the booted OS to be modified accordingly. Purism is doing so with their OS and documentation is given on their website, pointed from the section in wiki PR above.

Not sure why that PR was closed. Maybe the discussion should continue there so that that PR is modified and merged.