1

I plan to provide a Linux appliance to several users. These users are tech savvy and can easily reset the root password on a standard linux system.

How can I create a running Linux system that keeps even the root user out of the filesystem once protected? (I looked at disk encryption like LUKS but in all cases the root user can gain access to an automounted partition).

How do I solve this problem? Stack exchange questions like this assume the attacker does NOT have root access, but it seems simple to reset root password by booting into single user/recovery mode.

I've read about LUKS but FDE requires rolling the keyfile into the initramfs (as shown here) but I think you can easily unroll the initramfs and extract the key. So I don't think this solves the problem

Improve this question
1
  • This appliance would boot and run without user intervention, so I assume keys are stored somewhere on the disk (I have not used LUKS before). Can they not interrupt bootup at some point if keys are on the fully encrypted disk? Commented Jun 17, 2020 at 13:40

2 Answers 2

Reset to default
1

No, it is not possible to reset the root password on a PC with full disk encryption (FDE).

The tutorial linked in that answer you added talks about automounting some non-system drive. With FDE everything below / is encrypted including /root/keyfile.

If you put the keyfile to your system partition on a non-encrypted partition (e.g. /boot) for convenience reasons, your friends will be able to read the file, so don't do this.

Read:

Regarding the addition from your comment:

"This appliance would boot and run without user intervention":

Do not allow untrusted users to boot your computer. If users can boot from your encrypted hard drive they either know the password or have an unencrypted keyfile for the encryption and then they can do whatever they want with the computer.

Keep the computer booted, or have some trusted users than are allowed to boot.

Improve this answer
3
  • The second part of the comments would defeat what I am trying to achieve. I need to ship an appliance to a customer, so they will boot/reboot the device as needed. Clicking through several links I found reference to rolling the keyfile into the boot image - but I thought that can be unrolled too? Commented Jun 17, 2020 at 15:27
  • I'm not sure this answer really addresses how to prevent access the file system from even the root user. (Or could you clarify) Commented Jun 17, 2020 at 17:24
  • It is not possible to prevent access if you don't use FDE. Using FDE with unencrypted keyfile is like not using FDE. That is what I mean when I said "they can do whatever they want with the computer.". Commented Jun 17, 2020 at 20:44
0

I found the answer: encrypt the full disk with LUKS, then store the keys in the system TPM. That way the entire disk is encrypted and an end user can't extract the keys from the TPM...very secure:

LUKS with TPM

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.