1

I have Ubuntu 19.10 with full disk encryption. The encryption is effective as long as the system is turned off or restarted. Otherwise the data is unencrypted behind a locked screen which may not be very secured.

I wish to protect against:

  1. mechanisms that bypass screen lock (I have disabled SysRq, but there might be other ways too)
  2. cold boot attacks
  3. attacks through DMA, network, WiFi/Ethernet, physical ports, etc

What's the best way to proceed? Can I have a home encryption on top of full disk encryption, and set the screen lock such that the same password will unlock and decrypt the home drive (I don't want to enter two passwords)?

Is there any secure screen lock (no bug, no vulnerability against X11 crashes, etc)?

The OS + encryption should be able to protect the system 100 percent (except for cold boot attacks which mostly aren't practical: the data rapidly deteriorates).

Improve this question
4
  • Does this answer your question? Breaching security of a notebook with full disc encryption when screen is locked Commented Feb 14, 2020 at 21:13
  • No. I had read that. It just says that there are hardware attacks. That's question 3. The post doesn't provide any answer. Commented Feb 14, 2020 at 21:22
  • What about evil maid attacks? Commented Feb 15, 2020 at 1:10
  • How do you think SysRq would let someone bypass your screen lock? Commented Mar 22, 2020 at 20:01

1 Answer 1

Reset to default
1

Based on my understanding what you're looking for is a combination of a few different things that are likely too broad for a single question.

This should give you an idea of how to encrypt on suspend in Linux.

Is there any secure screen lock (no bug, no vulnerability against X11 crashes, etc)?

Nothing is totally secure and immune from bugs or vulnerabilities. I would shop around and weigh different options. One thing to keep in mind is that you may face incompatibility issues between a custom lock screen application and your desktop environment (if applicable).

Can I have a home encryption on top of full disk encryption, and set the screen lock such that the same password will unlock and decrypt the home drive (I don't want to enter two passwords)?

This will depend on the implementation of your particular lock screen and encryption setup.

Protecting against cold boot attacks and physical port access or tampering are whole other issues with plenty of material written on them at your fingertips. You'll gain more traction by doing some research on each, picking out specific areas you want clarification on and asking them as separate questions.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.