froscon2009 - 1.0

Free and Open Source Software Conference

Jürgen Pabel
Day Day 2 (2009-08-23)
Room HS1/2
Start time 14:00
Duration 01:00
ID 341
Event type Lecture
Track Security
Language used for presentation English

From PBA To Login

Improving The Full-Disk-Encryption User-Experience For Linux

LUKS/dm-crypt has become the Full-Disk-Encryption solution of choice for Linux distributions. Yet, this established solution lacks a critical feature: integration with Linux's authentication system (PAM) for allowing user's to unlock the disk with their login credentials. Different concepts for integrating these components are presented and their respective implications are discussed. A new software component that implements one of the presented concepts will be released at the presentation.

Full-Disk-Encryption ("FDE") is a vital security safeguard, especially for mobile computer systems. Many open-source implementations exist for Linux that are capable of protecting persisted information ("data-at-rest"); LUKS/dm-crypt is currently the implementation of choice for most Linux distributions. One drawback of the self-contained key management concept of LUKS/dm-crypt is that it burdens the user with having to manage the system's encryption password in addition to handling their own login password. Integrating key management of LUKS/dm-crypt with Linux's authentication subsystem (PAM) will improve the user experience since seperate encryption passwords won't be neccessary any more.

Presentation outline:

Part 1: Introduction & Overview

  • Overview of LUKS & dm-crypt
  • LUKS/dm-crypt in action: booting the system

Part 2: Integrating Pre-Boot-Authentication with PAM

  • Implications of the LUKS design with respect to password management
  • Concepts for integrating LUKS/dm-crypt with Linux's authentication subsystem (PAM)
  • Fresh bits for everyone: initial public release of an implementation