mortar
cryptboot
mortar | cryptboot | |
---|---|---|
17 | 5 | |
208 | 199 | |
- | - | |
5.9 | 0.0 | |
5 months ago | 5 months ago | |
Shell | Shell | |
GNU General Public License v3.0 only | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
mortar
-
WTF is a KDF? A startling revelation from a French prison
Bruteforce of such random password is just not plausible and talks about KDF "weakness" is just a distraction. I think most likely it was evil maid attack.
Here are projects which try to mitigate some of evil maid attack risks:
https://github.com/noahbliss/mortar
https://safeboot.dev/
-
Installation with full-disk, two-factor encryption, secure boot, and TPM
Secure boot and TPM support (à la Mortar: https://github.com/noahbliss/mortar)
-
Complying with the future: Secure Boot and TPM unclocking
There are tools that look to be able to automate it: https://github.com/noahbliss/mortar/blob/master/docs/proxmox-install.md
-
Prevent backup of vTPM2.0 state?
I just went through the process of setting up new ubuntu VM's using full root disk LUKS encryption and auto-unlock via Proxmox's vTPM2.0 and UEFI ( via this extremely helpful resource https://github.com/noahbliss/mortar )
-
tpm2 + luks + ubuntu 18 setup?
I have used this project with Debian+proxmox and it's been working great. https://github.com/noahbliss/mortar but I did read the arch wiki a bit which helped my understanding.
-
What do you don't like about Linux? What is Windows doing better?
There's a project called "mortar" (as in, gluing all these bricks together) that was attempting to simplify this. Though it's lost steam, reading through it's simple bash scripts was a great place to start for me. This guide for Fedora also helped a lot.
-
Authenticated Boot and Disk Encryption on Linux
There have been a number of attempts to solve this problem, but the most complete appear to be Mortar (a project I head) and safeboot.dev
I highly recommend taking a look at either of these projects if you want be able to improve both your convenience through auto unlocking, and security through broadened scope of audit.
https://github.com/noahbliss/mortar
https://safeboot.dev
-
Best Evil Maid prototcol for Linux?
Check out mortar. It uses secure boot and TPM along with LUKS. The creator is super helpful and available on the telegram.
-
Mount encrypted volume at boot?
A more advanced approach would be something like mortar to chain-load signed stuff.
-
Will Proxmox be able to run Windows 11?
There seems to be a workable solution out there for 2.0: https://github.com/noahbliss/mortar/blob/master/docs/proxmox-install.md
cryptboot
-
Setting up Secure Boot, but the wiki doesn't provide enough info I think
I just completely cheated by using cryptboot. Then it is as simple as cryptboot-efikeys create, then to enroll them into your eufi, cryptboot-efikeys enroll and finally to sign any efi executable (or any file), cryptboot-efikeys sign $FILE. There are other helper scripts, but I don't use them. Full documentation is on their GitHub: https://github.com/xmikos/cryptboot. Good luck!
- Authenticated Boot and Disk Encryption on Linux
-
Physical security tips & recommendations
Prevent evil maid by bringing your devices everywhere. Or you can just switch to GNU/Linux and add https://github.com/xmikos/cryptboot
-
Unencrypted boot partition risks
I think it was this one: https://github.com/xmikos/cryptboot
-
Cool new things on linux world for fresh installation and a bit of my usage different things.
Also, I am pretty sure that you can only have encrypted /boot if you use GRUB. The point of doing so is not really to make sure nobody reads it (there isn't anything interesting on /boot by default), but to make sure that nobody can tamper with it (ignoring the encryption vs authenticated encryption discussion). However, you still have to make sure nobody can tamper with GRUB itself. You might want to check out https://github.com/xmikos/cryptboot if this sounds interesting. Also, there are similar solutions that don't use encrypted /boot, for example booting from signed EFISTUBs, see https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot. Also, I don't actually use this kind of setup personally (albeit I'd like to one day), and I am certainly not a security expert, so take this whole paragraph with a big grain of salt, and double check with somebody who actually knows what they are talking about.
What are some alternatives?
sbctl - :computer: :lock: :key: Secure Boot key manager
swtpm - Libtpms-based TPM emulator with socket, character device, and Linux CUSE interface.
dotfiles - :unicorn: My personal dotfiles
clevis - Automated Encryption Framework
heads - A minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide a secure, flexible boot environment for laptops, workstations and servers.
linux-secureboot-kit - Tool for complete hardening of Linux boot chain with UEFI Secure Boot
safeboot - Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support
solo1 - Solo 1 firmware in C
sbupdate - Generate and sign kernel images for UEFI Secure Boot on Arch Linux
qubes-antievilmaid - Qubes component: antievilmaid
tpm2-totp - Attest the trustworthiness of a device against a human using time-based one-time passwords