Password protection for LUKS encrypted laptop

Halfway past November, a vulnerability in the LUKS Full-disk encryption for linux systems was discovered (CVE-2016-4484). Since I use this on my laptop, it caught my attention immediately. Due to the simplicity of the vulnerability (hold the return/enter key for +/- 70 seconds and get a initramfs shell) I went searching for a solution online. Numerous blogs are written on securing the Grand Unified Bootloader (GRUB). Since this vulnerability was published, numerous posts were added to that list about how to quick-fix GRUB. But I spent quite some time finding all information and putting a working configuration together. My current system is Ubuntu Linux 16.04LTS using EFI boot with GRUB and below are the settings and parameters for securing GRUB against unauthorized access to your system.

Preventing the LUKS vulnerability

First step is to prevent the 70 second security bypass. This can be done by adding a simple panic=5 paramter to theĀ GRUB_CMDLINE_LINUX_DEFAULT= line in /etc/defatult/grub

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
# info -f grub -n 'Simple configuration'
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="panic=5 quiet splash"

However, anyone with physical access to the system would be able to change anything in the GRUB configuration. Simply pressing ‘e’ while booting enables you to edit the GRUB configuration and following it with CTRL-X allows you to start that modified entry.

Password protecting GRUB from editing

Protecting GRUB with a password has changed in numerous ways over time. Various blog posts can be found on how to do it. Some say you should start a grub shell to create an md5 password hash. Some say you should simply add the password to your grub.cfg file in plain text. Both are not very secure and, adding it to grub.cfg, the first few lines already say it, that file gets overwritten each time automatically when installing new kernels. Therefore, two steps should be taken. First, a tool called grub-mkpasswd-pbkdf2 is included to create a secure password hash. It creates a sha512 password hash which you can include in the /etc/grub.d/40_custom in the right format

user@host~# grub-mkpasswd-pbkdf2 
Enter password: (not visible while typing) 
Reenter password: (not visible while typing)
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.37CECDE25B70E1C9<Truncated>

Once you got the hash, put it, together with the username in /etc/grub.d/40_custom

exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
#add users
set superusers="username"
password_pbkdf2 username grub.pbkdf2.sha512.10000.37CECDE25B70E1C9<Truncated>

Since a password is already required to unlock the encrypted partition, I do not want to type in an additional password while booting the system. Therefore, one additional change must be made to the GRUB configuration files. The easiest way to do this is by adding –unrestricted to the CLASS= field of /etc/grub.d/10_linux

CLASS="--class gnu-linux --class gnu --class os --unrestricted"

As soon as you have added this, run grub-mkconfig and update-grub to install the changed parameters in GRUB and reboot your system. Editing any entries in grub will require the set GRUB password. Booting the system will require only the LUKS encryption password. When anyone tries to circumvent the LUKS encryption, the system will reboot itself and fall back to the GRUB boot-screen but nothing can be accessed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.