One of the standards that has become normal in the US federal sector is the requirement that all mobile devices, such as laptops, have encrypted drives. This was a direct result of a number of laptop thefts earlier in the decade that resulted in the supposed leaking of personal information. As a former federal contractor, I watched a number of successful and not so successful methodologies implemented and deployed. Some resulted in real data protection and some resulted in wonderful bricks. In some cases on a regular (read daily) basis.
One of the more successful tools is the Trust Platform Module (TPM) chip. When properly implemented, it allows you to improve encryption, ensure that even if your disk is removed from your laptop, it is still secure and greatly enhances security. So, imagine my surprise, upon rejoining the private sector that my new company does not have a policy for encrypting laptops, even though almost every individual in the company has one.
I was issued a brand-new Dell, with a TPM chip and Windows XP on it. Of course, the first thing I did was download a copy of Fedora and set about reformatting the machine, including setting up the TPM and installing ext4 and enabling Linux disk encryption and went along my merry way, not really thinking about it. That was six months ago.
Like most laptop users, when disk space gets low, you have two options. Replace the disk with a larger one and reinstall or clone the disk to a larger one. After only six months, I was in no mood to do a reinstall, so I decided I would go the clone route. But wait, I had a TMP protected, encrypted disk. How was I supposed to do this? Surely this was a routine sort of thing. So I set out to the Internet and did some research. And was underwhelmed with what I discovered. Essentially, while there are a number of sites that will tell you how to clone your disk (something I am very familiar with), there are almost none that talk about the issues of encryption. Which left me in a bit of a quandary.
Finally, I decided to give it a shot and hope that I could make it work. The first question was what tool to use. I decided to go with dd because it does a bit for bit copy, rather than needing access to the file system. This is important because the disk, for the most part, is encrypted.
The other decision I made was to remove the disk from the machine and put it in a cage and put the second disk in a cage as well. I then booted the diskless machine with a LiveCD (I used Fedora 14 desktop) and connected the disks. Sure enough my encrypted disk popped up and I got an warning indicating that it was encrypted. I canceled the option to type in my password and connected my second disk and set to work doing the copy.
I was moving some 150 GB of disk from one machine to another, via USB. It took close to ten hours to do this successfully. So while dd worked, there are probably faster alternatives. Your mileage may vary.
After the copy was successful, I installed the new disk, pushed the power button and crossed my fingers. I am happy to report that the drive fired up, and after a successful password, decrypted itself and I was back in business.
But wait a minute.... Yes, what about the TPM chip? Remember that one of the things a TPM chip is supposed to do is prevent me from reading a disk not attached to the motherboard. I should not only not have been able to read it once mounted in the cage, I should not have been able to copy it at all - at least not to any sort of usable form. And I did. Why? Well, my leading thought is I did not set up the module correctly or that Dell has not set it up correctly to add the additional level of protection to the disk. It is also possible I did not install Linux in such a way to take advantage of the chip. In either case, while I am getting security through the Linux-based disk encryption, I am not getting any additional protection from the TPM chip.
The takeaways then are this. You can use dd to copy Linux-encrypted disks successfully. And never assume you are secure unless you test your security. Better yet, have someone else test it. Chances are you are not as secure as you think you are.
The Move To Linux
点赞
收藏