Kubuntu Focus Security Tools

Full Disk Encryption

Change the disk encryption password immediately after first boot. It is critical you type this carefully, remember it, and keep a copy somewhere safe because THERE IS NO WAY TO RECOVER THE DISK IF THE PASSPHRASE IS LOST! Open a terminal and enter the following:

sudo cryptsetup luksChangeKey /dev/nvme0n1p3 # > Enter passphrase to be changed: # > Enter new passphrase: # > Verify passphrase:

Only one key is used for normal encryption, and two if using a YubiKey. You may see the used slots by entering the following command:

_root_device=$(df |grep --regex=' /$' |cut -f1 -d') echo "Your encrytped disk appears to be ${_root_device}." echo 'Please verify and proceed with caution.' sudo cryptsetup luksDump "${_root_device}", # # > LUKS header information for /dev/nvme0n1p3 # > Key Slot 0: DISABLED # > Key Slot 1: ENABLED ... # > Key Slot 2: ENABLED ... # > Key Slot 3: DISABLED # > Key Slot 4: DISABLED # > Key Slot 5: DISABLED # > Key Slot 6: DISABLED # > Key Slot 7: DISABLED

If you see more keys than expected, you may remove them. Do this carefully and make sure your data is backed-up before proceeding! In the example below, we remove a key from slot 2.

sudo cryptsetup luksKillSlot /dev/nvme0n1p3 2 # > Enter any remaining passphrase:

Use the luksDump command as shown above to ensure the slot has been removed.

Use the following command to add a new key:

sudo cryptsetup luksAddKey /dev/nvme0n1p3

YubiKey

If you purchased a pre-configured YubiKey you won’t need this except to change your password. The procedure below is based primarily on this guide and then verified on the Focus.

Setup

# Become the root user sudo su - # Identify encrypted partition # > ls /dev/nvme0n1p3 # Identify a open LUKS key slot # Slots 1-7 show as open cryptsetup luksDump /dev/nvme0n1p3 # Generate a new, strong challenge password # Pick something you can remember! cryptsetup luksChangeKey /dev/nvme0n1p3

Install Necessary Packages

wajig install yubikey-luks

Configure YubiKey

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible # > # > Firmware version 5.2.4 Touch level 1283 Program sequence 3 # > # > Configuration data to be written to key configuration 1: # > # > fixed: m: # > uid: n/a # > key: h:50d779456fb7325fd91f2c543092b5178c4174cd # > acc_code: h:000000000000 # > OATH IMF: h:0 # > ticket_flags: CHAL_RESP # > config_flags: CHAL_HMAC|HMAC_LT64 # > extended_flags: SERIAL_API_VISIBLE # # > Commit? (y/n) [n]: y

Create Config File

echo 'WELCOME_TEXT="Please enter YubiKey password" CONCATENATE=0 HASH=0' > /etc/ykluks.cfg

Save LUKS Config to Key Slot

yubikey-luks-enroll -d /dev/nvme0n1p3 -s 1 # > setting disk to /dev/nvme0n1p3. # > setting slot to 1. # > This script will utilize slot 1 on drive /dev/nvme0n1p3. If this is not what you intended, exit now! # > Adding yubikey to initrd # > Please insert a yubikey and enter a new password. This is the password that will only work while your yubikey is installed in your computer. **************** # > Please enter the yubikey password again: **************** # > You may now be prompted for an existing passphrase. This is NOT the passphrase you just entered, this is the passphrase that you currently use to unlock your LUKS encrypted drive. # > Enter any existing passphrase:

Enter your passphrase.

Modify Crypt Table

Modify /etc/crypttab to include the keyscript option as shown. Notice your UUID value will be different!

UUID=98cfc3a4-dfd8-4cb4-8016-a3a62649d5a0 none luks, keyscript=/usr/share/yubikey-luks/ykluks-keyscript, discard

Update System RAM Disk

#update the initial Ramdisk update-initramfs -u

Reboot and Test

Reboot and insert Yubikey on the initial passphrase screen to test your password. You should be able to use your YubiKey passphrase or your regular passphrase. We suggest always keeping your first passphrase but ensure it is long and complex. This provides a method to use the system even if you lose your Yubikey. As always, store your passphrases safely.

Kleopatra

Kleopatra is a certificate manager and a universal crypto GUI. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers.

Connect with Secure Shell

Secure Shell (SSH) is a versatile tool. One can use it for remote access, port forwarding, tunneling, and secure file transfers. It is supported by many graphical tools on Linux. The Dolphin file manager, for example, supports secure file transfers using sftp.

A default configuration is provided and annotated in .ssh/config for all new users. You may study it to see how to maintain constant connection and add shortcuts for specific hosts.

Virtual Private Networks

OpenVPN is installed to ease connection to corporate networks. However, there are many other VPN clients which we will detail as needed.

Troubleshooting

Content will be added as needed.

Revisions

This is a partial revision history. See the git repository for all entries.

2020-06-10 c4ed9299 Restructure layout

Disclaimer

We try hard to provide a useful solution validated by professionals. However, we cannot anticipate every situation, and therefore cannot guarantee this procedure will work for your needs. Always backup your data and test the solution to determine the correct procedure for you.

THIS SOLUTION IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOLUTION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.