Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disc encryption (on hibernate) #42

Open
6 tasks
alice-sowerby opened this issue Dec 11, 2024 · 0 comments
Open
6 tasks

Disc encryption (on hibernate) #42

alice-sowerby opened this issue Dec 11, 2024 · 0 comments
Assignees
Milestone

Comments

@alice-sowerby
Copy link
Member

alice-sowerby commented Dec 11, 2024

User Story

As a user who works with sensitive data I want my laptop to encrypt all data in memory when it goes into hibernation so that it is safe from cold-boot attacks, and safe if my laptop is lost or stolen.

Implementation Notes

Where functionality is already supported/available, it still should be documented for usability purposes.

Acceptance Criteria

  • Full disk encryption that includes the boot partition. I believe ZFS should already support this.
  • Support for the AES family of encryption algorithms 128bit and 256bit, SHA256 and SHA512, CCM and GCM modes. I believe OpenZFS already supports these .. e,g. aes-256-gcm
  • Password based key derivation. Meaning upon boot, the boot loader will ask for a password to decrypt the drive. This password will be converted to an encryption key (very standard) for the decryption.
  • The ability to change this password at a later date without having to reencrypt the drive. ZFS has this.
  • [NEW to ZFS disk encryption] we need to be able to encrypt the swap partition or a swap file that stores the RAM from a hibernation event. Linux does something like this. https://wiki.alpinelinux.org/wiki/Full_disk_encryption_secure_boot
    NOTE: Basically you setup the boot loader to look for a physical offset on the encrypted drive that houses the swap file. This is not a requirement it could be a swap partition. If the swap file is used and sitting on the / drive then if you encrypt the root drive you are by default encrypting the hibernation state. The trick is pointing the kernel to this location to decrypt it. Alternatively you can have the hibernation store state in the swap partition. In this case we just have to know the swap partition is encrypted.
  • When resuming a hibernation, invoke the boot loader, enter a password and resume the state from the swap file or swap partition.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Backlog
Development

No branches or pull requests

2 participants