Add chapter security
This commit is contained in:
Sandro Keil
17
README.md
17
README.md
@@ -1,7 +1,7 @@
|
||||
# YubiKey Full Disk Encryption
|
||||
|
||||
[This repository](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi "YubiKey Full Disk Encryption Repository")
|
||||
contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA)
|
||||
[This repository](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi "YubiKey Full Disk Encryption Repository")
|
||||
contains a step-by-step tutorial to create a full disk encryption setup with two factor authentication (2FA)
|
||||
via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains:
|
||||
|
||||
- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
|
||||
@@ -11,11 +11,16 @@ via [YubiKey](https://yubico.com/products/yubikey-hardware/). It contains:
|
||||
|
||||
Currently guides for:
|
||||
|
||||
- Arch Linux
|
||||
- Arch Linux
|
||||
|
||||
Additional security chapter:
|
||||
|
||||
- Disable INTEL AMT
|
||||
- Disable AMD PSP
|
||||
|
||||
## Why
|
||||
It took me several days to figure out how to set up a fully encrypted machine with 2FA. This guide should help
|
||||
others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step
|
||||
others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step
|
||||
guide to get the above things done.
|
||||
|
||||
> I guess the entire manual will take between 1 - 3 hours.
|
||||
@@ -25,7 +30,7 @@ You should be familiar with linux and should be able to edit files with `vi` [Vi
|
||||
You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while
|
||||
preparing your fully encrypted Linux.
|
||||
|
||||
And of course you will need at least **two** [YubiKeys](https://www.yubico.com/products/yubikey-hardware/ "Discover YubiKeys").
|
||||
And of course you will need at least **two** [YubiKeys](https://www.yubico.com/products/yubikey-hardware/ "Discover YubiKeys").
|
||||
|
||||
**WARNING:** You gonna get a bricked machine if you only have a single Yubikey and it breaks.
|
||||
|
||||
@@ -38,7 +43,7 @@ And of course you will need at least **two** [YubiKeys](https://www.yubico.com/p
|
||||
## Documentation
|
||||
|
||||
For the latest online documentation visit [http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/](http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/ "Latest yubikey-full-disk-encryption-secure-boot-uefi documentation").
|
||||
Refer the *Quick Start* section for a detailed explanation.
|
||||
Refer the *Quick Start* section for a detailed explanation.
|
||||
|
||||
Documentation is [in the book tree](book/), and can be compiled using [bookdown](http://bookdown.io) or [Docker](https://www.docker.com/)
|
||||
|
||||
|
||||
@@ -50,7 +50,7 @@ The complete file should look something like this.
|
||||
#%PAM-1.0
|
||||
|
||||
auth required pam_unix.so try_first_pass nullok
|
||||
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
|
||||
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
|
||||
auth optional pam_permit.so
|
||||
auth required pam_env.so
|
||||
|
||||
@@ -67,11 +67,11 @@ session optional pam_permit.so
|
||||
```
|
||||
|
||||
## Test it
|
||||
Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to
|
||||
Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to
|
||||
another tty and try to login. After you have entered your password, the YubiKey should flash and you have to touch the
|
||||
YubiKey button. Good luck!
|
||||
|
||||
**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the
|
||||
**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the
|
||||
following goals which is really awesome!
|
||||
|
||||
- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
|
||||
@@ -80,4 +80,6 @@ following goals which is really awesome!
|
||||
- YubiKey authentication for user login
|
||||
|
||||
If you have any suggestions don't hesitate to [create an issue](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi/issues "Create a new issue") to improve this guide.
|
||||
Also spread the word about this guide so more people can secure their system.
|
||||
Also spread the word about this guide so more people can secure their system.
|
||||
|
||||
You should now check the *security* chapter to improve security further.
|
||||
22
book/security/bookdown.json
Normal file
22
book/security/bookdown.json
Normal file
@@ -0,0 +1,22 @@
|
||||
{
|
||||
"title": "Security",
|
||||
"content": [
|
||||
{"disable-intel-amt": "disable-intel-amt.md"},
|
||||
{"disable-amd-psp": "disable-amd-psp.md"}
|
||||
],
|
||||
"theme": {
|
||||
"toc": {
|
||||
"collapsibleFromLevel": 1
|
||||
}
|
||||
},
|
||||
"template": "bookdown/themes",
|
||||
"tocDepth": 2,
|
||||
"target": "../html",
|
||||
"numbering": false,
|
||||
"extensions": {
|
||||
"commonmark": [
|
||||
"Webuni\\CommonMark\\TableExtension\\TableExtension",
|
||||
"Webuni\\CommonMark\\AttributesExtension\\AttributesExtension"
|
||||
]
|
||||
}
|
||||
}
|
||||
13
book/security/disable-amd-psp.md
Normal file
13
book/security/disable-amd-psp.md
Normal file
@@ -0,0 +1,13 @@
|
||||
# Disable AMD PSP
|
||||
This page describes how to disable AMD Secure Processor aka AMD Secure Technology.
|
||||
Please read the whole page before you begin. The AMD PSP is a
|
||||
[security risk](https://www.scmagazineuk.com/security-issue-found-amds-platform-security-processor/article/1473518 "Security issue found in AMD's Platform Security Processor").
|
||||
|
||||
> Don't forget to set a secure BIOS supervisor password!
|
||||
|
||||
## Disable AMD PSP in BIOS
|
||||
> **Attention:** If you don't see any option to disable AMD PSP, check
|
||||
if you have installed the latest BIOS version.
|
||||
|
||||
Boot into BIOS and search for an entry *BIOS PSP Support* and disable it.
|
||||
It should be in menu *Advanced*.
|
||||
35
book/security/disable-intel-amt.md
Normal file
35
book/security/disable-intel-amt.md
Normal file
@@ -0,0 +1,35 @@
|
||||
# Disable INTEL AMT
|
||||
This page describes how to disable INTEL Active Management Technology. Please read the whole page before you begin.
|
||||
The INTEL AMT is a [security risk](https://thehackernews.com/2018/01/intel-amt-vulnerability.html "INTEL AMT vulnerabilities").
|
||||
|
||||
> Don't forget to set a secure BIOS supervisor password!
|
||||
|
||||
## Open INTEL AMT
|
||||
To open INTEL AMT press *CTRL + P* on boot. The default password is *admin* and
|
||||
you should change it to a secure one. You will be ask to change the password
|
||||
on the first login.
|
||||
|
||||
## Disable Intel Management Engine State Control
|
||||
Next step is to [Disable Intel Management Engine State Control](https://www.dell.com/support/article/de/de/debsdt1/sln295179/disable-intel-amt-intel-management-engine-state-control?lang=en).
|
||||
|
||||
1. Choose *Intel ME General Settings* from menu
|
||||
1. Choose *Intel ME State Control* from menu
|
||||
1. Choose *Disable*
|
||||
1. Choose *Previous* from menu
|
||||
|
||||
The machine will reboot now. You can still access INTEL AMT but if you
|
||||
enable it again it should use your password and not the default one.
|
||||
|
||||
## Disable INTEL AMT in BIOS
|
||||
> **Attention:** Depending on the used INTEL AMT version you **can not**
|
||||
disable the Intel Management Engine State Control because then the password will be reset. If you don't
|
||||
see any entry to disable INTEL AMT, check if you have installed the latest BIOS version.
|
||||
|
||||
Boot into BIOS and search for the *Intel AMT* entry and enter it.
|
||||
For Lenovo notebooks it's under the menu *Config*. Choose *Disable* and save BIOS settings.
|
||||
|
||||
## Validate password protection
|
||||
Now it's time to check, if the password is reset if you enable it again. Go into BIOS and enable
|
||||
INTEL AMT, save changes and open INTEL AMT with *CTRL + P*. Enable it again, the machine will reboot.
|
||||
Go into INTEL AMT with *CTRL + P* and now you should not be able to login with password *admin*.
|
||||
Now start from scratch and disable it again.
|
||||
@@ -3,7 +3,8 @@
|
||||
"content": [
|
||||
{"intro": "README.md"},
|
||||
{"changelog": "CHANGELOG.md"},
|
||||
{"guides": "book/guides/bookdown.json"}
|
||||
{"guides": "book/guides/bookdown.json"},
|
||||
{"security": "book/security/bookdown.json"}
|
||||
],
|
||||
"theme": {
|
||||
"toc": {
|
||||
|
||||
@@ -7,7 +7,7 @@
|
||||
"authors": [
|
||||
{
|
||||
"name": "Sandro Keil",
|
||||
"email": "social@sandro-keil.de",
|
||||
"email": "github@sandro-keil.de",
|
||||
"homepage": "https://sandro-keil.de"
|
||||
}
|
||||
],
|
||||
@@ -19,7 +19,10 @@
|
||||
"uefi",
|
||||
"arch-linux",
|
||||
"luks",
|
||||
"lvm2"
|
||||
"lvm2",
|
||||
"security",
|
||||
"intel amt",
|
||||
"amd psp"
|
||||
],
|
||||
"require": {
|
||||
"bookdown/bookdown": "^1.1.0",
|
||||
|
||||
Reference in New Issue
Block a user