Portal:Aeon/Encryption
Encryption Guide
This is not yet implemented, but is expected to be included in RC3
Overview
All Aeon installs utilise Full Disk Encryption (FDE). FDE protects the data on your computer in the event that it is lost, stolen, or booted into an alternative operating system.
Depending on the hardware available in your system, Aeon's encryption will be setup in one of two modes:
- Default with strong checks of your systems integrity. Default mode automatically unlocks the encryption when your system starts.
- Fallback with weaker/no check of your systems integrity. Fallback mode requires a passphrase to unlock the encryption when your system starts.
Recommended Hardware
In order to install in Default mode Aeon must be able to detect a Trusted Platform Module (TPM) 2.0 chipset with PolicyAuthorizeNV support, i.e. the chipset must support TPM 2.0 version 1.38 or newer.
If the installation does not detect this Recommended Hardware, you will receive a notification that encryption is being set up in Fallback mode.
Default Mode
In this mode, Aeon will measure all of the following aspects of your systems integrity and store those measurements in your systems TPM:
- UEFI Firmware
- Secureboot state (enabled or disabled)
- Partition Table
- Boot loader and drivers
- Kernel and initrd (including kernel cmdline parameters)
When your system updates, these measurements are automatically updated.
When your system starts, it will compare the current state to the measurements stored in the TPM.
If they match, your system will boot.
If they do not match, there is the possibility your system has been tampered with.
You will be prompted to enter the Recovery Key that was provided during installation.
This should only be entered if you can explain why the TPM measurements do not match the current system, e.g:
- UEFI Firmware was just updated
- SecureBoot was just changed from enabled to disabled.
- Intentional manual changes were made to the boot loader, kernel or initrd
If you cannot explain why the TPM measurements do not match the current system, you should examine the measured aspects of your system for any sign of tampering or unwanted alteration before using the Recovery Key to boot the system.
Fallback Mode
In this mode, Aeon will not be able to measure your systems integrity before attempting to unlock the disks encryption.
It is therefore Strongly Recommended that Secureboot is enabled as this will provide some confirmation that the Bootloader and Kernel have not been tampered with.
You will be prompted to enter a Passphrase during installation, and this Passphrase will be required every time your system starts.
You will also be provided a Recovery Key that can be used instead of the Passphrase in case it is forgotten.
FAQ
"Default Mode unlocks the disk without a passphrase, isn't that less secure than Fallback Mode?"
No. Because Default Mode provides strong checks of your systems integrity, it also protects your system from attacks which would otherwise make it trivial to bypass your usual Username and Password authentication.
For example, most normal Linux systems can have their authentication bypassed by changing the kernel cmdline to boot with the parameter init=/bin/bash. But in Default Mode, such an change would be detected and prevent the disk from being automatically unlocked.
Default Mode's integrity checking also protects against alterations to the initrd, which potentially could be used by an attacker to capture the Passphrase used by Fallback Mode.
"Why is Secureboot strongly recommended for Fallback Mode, but not Default Mode?"
Secureboot uses signed boot loaders, kernels, and kernel modules to establish a 'chain of trust' between a systems UEFI firmware and the boot process.
This can cause complications, such as with third-party kernel modules or even between moving between different Linux distributions.
As Default Mode establishes a strong 'chain of trust' between a more comprehensive list of key boot components, the use of Secureboot in Default Mode can be considered optional.
If Secureboot is enabled in Default Mode, it will be measured and expected to stay enabled. Likewise, if disabled, it will be expected to stay disabled.
As Fallback Mode has no such measurements of boot components, Secureboot should be enabled.
Disabling Secureboot in Fallback Mode leaves your system vulnerable to tampering, including attacks which may capture your passphrase when entered.