Setting Up A Memory Key With Secureboot

Passphrase or Memory Key?

Over time I got used to providing my passphrase during the boot process, but sometimes I wished there was a shortcut that would safe me the hassle to open up my container with the information inside my head. At times when my laptop was safely located in a place where surely nobody else would use it, being prompted for a passphrase seemed to be an unnecessary precaution. So I included the option to provide the passphrase by inserting a memory key into the computer.

This is of course a weaker procedure and the circumstances have to be considered to justify such a shortcut, but I designed this option in a way that the passphrase can only be replaced if two separate pieces of information are used together. If someone stole my laptop without the memory key, it should be infeasible to gain any knowledge of the passphrase that protects my encrypted container.

The secureboot package installs without activating this option, but if you wish to configure the memory key procedure safely, you can use the script "/usr/lib/secureboot/createOTP" to compute the two different pieces of information you'll need to set up the memory key option in the file "/etc/init.d/secureboot2" by hand.

The following command will do the job for you:

#> /usr/lib/secureboot/createOTP your-secure-passphrase

First of all the scripts creates a ramdisk to store the information that eventually will only be stored on the memory key and nowhere else. To create the OTP that is displayed on the terminal, random numbers are read from the Linux random number generator /dev/random. The OTP from the terminal is an XOR of the random bytes and your passphrase, while the content of the file "/ram/securebootkey" is an XOR of the OTP and your passphrase. So both pieces of information are needed to recover the passphrase, and every piece alone is masked with random data to give no indication about your passphrase at all.

Preparing the Memory Key

As a precaution I have stored the file "securebootkey" in a ram disk, so that no unintentional copies remain on your computer's file system. Please copy the file "/ram/securebootkey" to a memory key and find out which device file (ie /dev/sdb1) is used when your memory key is being mounted. You have to edit the file "/etc/init.d/secureboot2" by hand to specify the device file for the memory key and to put the OTP information into this file.

There is a second file in the ram disk "/ram/securebootkey.sha1" which is a hash of the securebootkey. This file should be stored in the directory "/usr/lib/secureboot" to enable the service to check if a keyfile stored on the USB memory key is legitimate. Tripple check that you copied the hash value (41 bytes) to "/usr/lib/secureboot" and not the securebootkey itself. The only place the file "securebootkey" should end up is the memory key, and maybe a backup in some safe place somewhere.

You can now check if the encrypted container is available when the USB memory key is inserted into your computer. And don't forget to store your USB memory key away in a safe place whenever it is not used to replace your passphrase.

Don't allow yourself to become negligent in this regard.