Exclusive Authentication Token

MasonicMazer · January 18, 2025, 1:03pm

Proposal for Exclusive Authentication Token:

system multifactor auth and killswitch in one user-tethered dongle

Secure boot can be implemented in Kicksecure for platform binding, but what about other hardware-engaging options like locking LUKS with a security key?

search: support nitrokey com – Unlocking LUKS with a USB key on Fedora/Qubes
search: Fedora forum - which dracut method (Yubikey)
What does the Kicksecure team think about measured boot (HEADS BIOS) and Anti-Evil Maid (see AEM - Qubes OS + TPM)?

BusKill by Michael Altfield (on github) utilizes an app that triggers a hotplug removal event (in libusb) and a specific drive and port can be designated (usb: 00x , 00x) so that other USB devices do not trigger the shutdown.

Therefore, a single usb device could both authenticate LUKS cryptab with FIDO (biometric and/or unique physical token) and trigger a hotplug removal event in libusb on the BusKill application (python, sha256, .btz).

Would Kicksecure approve of this feature or can anyone on the development team find any security flaw with this technique being implemented?

In TAILS OS, all one has to do is attach a lanyard to the TAILS USB device and wrap the cord around your wrist. If the computer is forcefully removed from you, both the shutdown sequence is initiated and the RAM is cleared and persistent storage is again locked in the FDE state. However, if developer mode is and security-misc is fully enabled on Kicksecure, one has to wait for sudo shutdown and if unencumbered on the stable or testing mode, the computer could be stolen while in an unlocked state.

Patrick · January 20, 2025, 7:43am

TPM for Full Disk Encryption (FDE)…

Not a priority.
TPM
Ubiquity / LVM / TPM

Planned.

Boot Block versus TPM
Boot Block Based Attacks Against Measured Boot
and that page Verified Boot - Kicksecure generally
Created forum topic Verified Boot just now.

maltfield · January 20, 2025, 8:07pm

In general, I really like the idea of using hardware security tokens (USB, TPM, HSM, etc) for use as a second factor.

Unfortunately, we see a lot of systems (ab)using this tech as a single factor. I think it would be wise to make sure your LUKS unlocking always requires the user to input a something-you-know secret.

We do have at least one BusKill user who uses a YubiKey to both unlock their computer and trigger a lockscreen when removed.

Edit: apparently I can’t add links to this forum, but just search for “humandecoded qubes yubikey buskill”

Patrick · January 21, 2025, 12:41pm

You should be able to post links now.
(Posting Links for New Users)

Patrick · January 21, 2025, 1:26pm

Right.

Improved chapter TPM plus Password a bit just now.

Full disk encryption password as first factor (something you know) plus a TPM as a second factor (something you have).

At the time of writing, this is unavailable in any Linux distribution. See the comparison table below.

TPM Encryption Comparison Table

Quiksilver · January 22, 2025, 12:53am

How exactly does that work?
Would you have to have the Yubikey plugged in the whole time then unplug it when you leave the workstation?

Also nice work on BusKill BTW I’m a bigly impressed.

maltfield · January 30, 2025, 4:58pm

@quiksilver please see:

Qubes OS - Yubikey + BusKill