Originally Posted by BatteryKing your FIDO2 key is usually something you keep stowed somewhere; it is not continuously connected up to your computing device. If it is, then you are doing it wrong. Just complete and total nonsense. You must have a very creative imagination or have been seriously misinformed. FIDO2/Webauthn tokens are meant to remain plugged in to computers at all times, that is why Yubico makes a slim form factor. Originally Posted by BatteryKing When it comes to adding encrypting data at rest, if you are constantly rebooting the computer you are trying to protect, then you are probably doing something wrong. The normal case is you only reboot when you have to. What? I mean, just what? This is such a silly unqualified statement which honestly does not even logically follow this conversation. And it is also wrong, because a computer turned off with full volume encryption is much more secure than one powered on. Originally Posted by BatteryKing So now you get into a laptop computer getting stolen. Especially if the computer is at a lock screen or ends up at a lock screen, a would be thief might think, well just bring it up off of a boot disk and get in. This quickly fails with data at rest. Exactly. You got it. LUKS prevents adversaries from accessing data at rest. That's it - that problem is solved. Move on to other security risks. Originally Posted by BatteryKing And with the ESET example, you can remote kill the computer and then encrypted data at rest can be super handy at protecting your data No, you can't. That requires networking, which does not exist in preboot environment, nor in fadaday bags professional criminals use. Originally Posted by BatteryKing With a properly used FIDO2 key, it is not at the computer and even if it also gets stolen, 8 attempts and it is worthless to anybody. You've just created a risk of a user forgetting their PIN and their disk becoming worthless, which is tenfold greater than an attacker trying to decrypt the same. Originally Posted by BatteryKing There are also things like if you end up with the wrong significant other and it seems more often than not even getting as far as marriage ends in divorce. What on earth does this bizarre social commentary have to do with ANYTHING? Originally Posted by BatteryKing And with people like Hans Rieser, who had his own Linux file system, his ex was a real piece of work to the point where he just lost it one day and has been in jail for a long time because of that. I mean data at rest can be a very useful thing, especially if you know what is up. Seriously, stop the FUD. Sit down and make a threat model. You are allowing yourself to be carried away by silly ideas which are not based in objective reality, and actually may have negative impacts on your security and privacy in spite of your stated goals. Come back down to the earth, clearly and objectively state what data you are trying to protect, from whom, and what the adveraries capabilities are to justify particular defenses.
Just with the statement of the Yubikey is supposed to be left in at all times, have you actually used one? All of this commentary, it is a waste of my time to reply any more really. Someone is obviously out to get me and I don't want to play these games and it is not what I came here for.
Originally Posted by BatteryKing Just with the statement of the Yubikey is supposed to be left in at all times, have you actually used one? All of this commentary, it is a waste of my time to reply any more really. Someone is obviously out to get me and I don't want to play these games and it is not what I came here for. From the official Yubico website: https://www.yubico.com/product/yubikey-5-nano/ "The “nano” form-factor is designed to stay in your device" Like I said, please stop the FUD.
Originally Posted by currentshaft From the official Yubico website: https://www.yubico.com/product/yubikey-5-nano/ "The “nano” form-factor is designed to stay in your device" Like I said, please stop the FUD. Sorry -- I know this topic is pretty much done. But to add, I agree with user currentshaft that Yubikey's primary use is for MFA auth on (primarily web, like Google) applications, not necessarily LUKS. Which is why you'd likely have the device connected to your workstation at all times. So you'd need to convince those teams it's worthwhile to improve. I don't think the security forums for general use Ubuntu is a productive arena for that debate. Though it's great fun to consider... You're not the first person to think of this use case, and I think it's worthwhile. I just don't think the applications reliant on this process are mature enough to be reliable. From my perspective, I think a combination of data classification, restricting data exfiltration to workstations, and DLP are better methods of securing data than relying on workstation encryption alone. I could do research to back this one up, but who has time. I think the best solution would feature a Yubikey-like solution with LUKS. LUKS would ask for the pin from Yubikey, and they have k attempts until the key is destroyed. On top of this, the sensitive data would be secured on a centralized server that requires MFA to access. You could have the Yubikey be that MFA. And then the solution would be budget efficient and quite effective with the pin timeout for LUKS. The single point of failure of course is the Yubikey and stealing the workstation while its online. Then your DLP would need to somehow lockout access to the sensitive data.
Last edited by 0f4d0335; July 10th, 2024 at 05:49 PM.
Originally Posted by 0f4d0335 I think the best solution would feature a Yubikey-like solution with LUKS. LUKS would ask for the pin from Yubikey, and they have k attempts until the key is destroyed. How is that better or even different than LUKS encryption with the same PIN? It's the same level of security for an exponentially greater amount of effort and reliability risk. It makes no sense.
Originally Posted by currentshaft How is that better or even different than LUKS encryption with the same PIN? It's the same level of security for an exponentially greater amount of effort and reliability risk. It makes no sense. Yubikey has the feature to lockout after a number of attempts of the pin and can be managed. https://support.yubico.com/hc/en-us/...nal-Approaches Therefore, having the Yubikey can provide minimal interaction from the user (small pin) and require them to have the physical key when decrypting. Therefore, you can have a process to keep the key away from the workstation during normal operations and or even include the Yubikey as part of the employee's identity. It's better than simply remembering a password in that the Yubikey can lock itself and manage its access. You don't have those controls with just a memory pass key.
So the adversary you're worried about is going to steal a laptop AND try to brute-force LUKS (unlike 99% of criminals who will just format the PC and sell it abroad). The adversary is extremely skilled and highly motivated to go through all that trouble. But they are too inept to also steal the Yubikey and guess or phish the simple PIN needed to unlock the volume. This narrative borders on ludicrous. It is security theater. All it does is reduce the reliability of the platform. Not a single Fortune 500 company uses this method of encrypting their employees' laptops. Do you have something more important than them to protect - and think you know more than their security teams?
Last edited by currentshaft; July 11th, 2024 at 02:43 AM.
Originally Posted by currentshaft So the adversary you're worried about is going to steal a laptop AND try to brute-force LUKS (unlike 99% of criminals who will just format the PC and sell it abroad). The adversary is extremely skilled and highly motivated to go through all that trouble. But they are too inept to also steal the Yubikey and guess or phish the simple PIN needed to unlock the volume. This narrative borders on ludicrous. It is security theater. All it does is reduce the reliability of the platform. Not a single Fortune 500 company uses this method of encrypting their employees' laptops. Do you have something more important than them to protect - and think you know more than their security teams? Please see my previous posts [6, 9, and 14] on better mitigation controls. I'm explaining what Yubikey provides that is different from USB with key file (same method just less management, less cost). Standard full disk encryption is either required or recommended in GPDR, PCI - DSS, NIST, and CIS. All these frameworks are due process for corporations, and their security teams will deploy workstations with some version of encryption. But the stronger controllers were mentioned in my earlier posts. Edit. I really dislike the idea of security theater in terms of vendor options. I think it's fine that security is done however, but it has its use cases. When people say "security theater," I think of writers sensationalizing the mundane and frustrating airport security, not Yubikeys. Yubikeys are well-used. I don't need to speak about personal experiences to know this. But if I were running a small dev team on Ubuntu workstations, I don't think my go-to would be to install Yubikeys just because I don't think the support for the device is mature enough. Concerning threat modeling, Yubikey is fine to use as MFA and disk encryption. In a production environment, I would be sure to have a SME configure it. Justifying the cost should be done in the BIA and ALE.
Last edited by 0f4d0335; July 11th, 2024 at 01:59 PM.
Originally Posted by 0f4d0335 Yubikeys are well-used. Not for full volume encryption, it's not. Perhaps this is a "fun" research project, but as I'd already stated, no security professional is doing this because it's unreliable and adds nothing to security.
I doubt 0f4d0335 is interested in breaking out flame throwers. Given that their previous posts discussed other methods, I think we can safely assume that they are not making a personal recommendation here. Let's not turn this into a flame war.
Please read The Forum Rules and The Forum Posting Guidelines A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once. This universe is crazy. I'm going back to my own.
View Tag Cloud
Ubuntu Forums Code of Conduct