disk encryption – “Best” transparent Linux consumer FDE setup options? (e.g. unlocking LUKS/etc without manully entering passphrase)

Summary: I’m looking at Linux FDE options that are transparent to the user (my parents) in that the user doesn’t need to enter 2 passwords. I am stating each option I found/thought of and then what I think the security implications of each are. Wanting to see if anything is inaccurate/missing. This got a bit longer than I intended… sorry about that but I don’t see any obvious stuff I could cut out. Tried to add formatting/etc to make it more readable though.

Now that my previous mistaken concerns that LUKS was vulnerable have been addressed and my (mis-)understanding corrected, I am continuing to look into using it for a Linux FDE /home partition setup. For myself, I am fine with typing out 2 passwords (LUKS + system login). But I was also interested in setting up FDE on my parents’ systems as a basic precaution against physical theft. My parents absolutely will not bother with FDE if they have to type multiple passwords and have stated they would rather not be protected than have to type a second password (basically, this is a real-world example of AviD’s Rule of Usability: “Security at the expense of usability comes at the expense of security.”).

For their systems, we would probably be going with either Fedora 33 (Cinnamon spin) or Linux Mint 20. I realize that there is a subjective decision that has to be made based on security vs. convenience. But first, I want to make sure that I correctly understand all of the options and the objective security implications before I discuss / recommend things to them. Assuming that manual entry of passphrase(s) during boot/login process is off the table, I think the following options all would work (with varying levels of security and maintenance):

  1. Local-file auto-unlock: Setup an auto-unlock with /etc/crypttab pointing to a local file and then mount the resulting encrypted drive in /etc/fstab. My understanding from the crypttab man pages is that (unless using _netdev as in option 3 below) it only supports either a binary keyfile, a text file containing plaintext password, or a plaintext password with no spaces entering directly in crypttab itself. I think that in all of these scenarios, something like this if an attacker has stolen the physical computer, it would then be trivial to gain access to the unencrypted files simply by booting up any live disc and using the password/keyfile to unlock the container just as the auto-mount does, no special tools required. IIUC, this is even worse than no FDE as it gives a false sense of security… I don’t think I would really even consider this and am just listing it in case I have grossly misunderstood something.

  2. USB-file auto-unlock: Same as option 1 but I could store the keyfile on a removable USB stick. Since my parents are very likely to leave the USB stick in the computer at all times (or at best to keep on the desk next to the computer), I don’t see this option as being any better than option 1. Perhaps even slightly worse bc it requires buying a usb stick and hogging one of the ports. Likewise, I don’t think I would consider this either but pretty sure someone would suggest it if I didn’t mention why it won’t work for us.

  3. Network-file auto-unlock: Same as option 1 but store the keyfile on a networked device. To prevent the server device from being physically stolen along with the actual client PC, my best bets would either be to have something “in the cloud”/connected via remote storage OR to have a small device like a RaspPi that I can hide somewhere just for this purpose. Personally, I’m not too fond of the idea of cloud/remote keyserver connected via internet: I’ve never really trusted “the cloud” w/r/t to important data, I perceive internet to be greater risk than LAN, and I’d probably get bitched at about multiple password entries if the internet went down (they’re semi-rural so it’s happened here and there). The RaspPi sounds like something I could manage to set up on the LAN. But as I haven’t been following IOT stuff at all, I’m unclear if IOT security has managed to improve from “garbage” to something worth possibly considering. If it has, the main downside I can see is that I would need to spend some time learning ARM-stuff and then also maintain/update an additional device.

  4. Tang-server auto-unlock: I am not sure if this is different from option 3. When I originally read about _netdev option in the crypttab man pages, I got the impression it was just a network-hosted keyfile on something like fileserver/NFS/samba. When I later ran across some Redhat documentation and opensource.com mentioning using Network-Bound Disk Encryption (NBDE) via a tang+clevis server setup, I assumed it was a different setup. But maybe they are the same? I am guessing that if they are different, then this option will have most of the same pros and cons, but it will come down to security of tang+clevis vs security of fileserver/NFS/samba – where I would expect the more specific implementation (tang) to win.

  5. Linux password auto-unlock: Make passphrase the same as the user password and replace /etc/mounttab mappings with something like pam_mount. IIUC, there is some risk here that someone could boot up a Kali (or other) livedisc, look at the hashes in /etc/shadow and then run those hashes through some kind of cracking utility to help guess the password… something like a smarter brute-force that only targets matching hashes. This option is very hard for me to evaluate as I don’t know how to do this myself and am not really sure how easy/difficult this is for an attacker to actually pull off. Plus, I know my parents’ login passwords are not typically anywhere near as strong as my own which I suspect might make such an attack easier (but again no clue how much easier). If such an attack is not that easy, then this could be a really good option for me as it it’s probably a lot less work to setup/maintain than a key server.

  6. Skip FDE and just use VeraCrypt container: Not my favorite option (some files will probably be left in the open due to human nature/human error, browser profiles unprotected, and unencrypted copies of moved files might be viewable via recovery software). But I think I’ve gotten them used to storing important passwords in a password manager so they could just copy/paste that in when opening it. And more importantly, it would only be when they are working with important files – no 2nd password to enter on a regular basis. I suspect they’d still veto this option but I’ll keep it on the table until then.

  7. Cheat: If they just don’t want to enter 2 passwords, I could probably set up a LUKS container normally (requires passphrase during boot via crypttab) and then setup a normal/non-root/non-sudoer user that does not require any password and just automatically logs right in. My gut reaction is to not do this but I can’t properly articulate / think of how to explain why this option would be “bad”. Only thing I can come up with is if the luks container doesn’t get locked on screensaver/sleep (and I don’t think it does by default – at least not in Cinnamon desktop), then anybody could just sit down and get the data without needing to physically steal the pc. But if that’s all there is, then I might be able to script a solution.

So my questions are:

A. Is my understanding of the security implications for the options above correct (especially on options 3-5)? If not, what did I get wrong/miss?

B. Are there any other options/solutions that might work in this situation?

C. If you have/had a similar situation what would you choose and why? (If it helps, I mostly interested in finding other things that I haven’t thought of or things I haven’t thought through well enough). LUKS has been around almost 2 decades… Surely I can’t be the only – or even the first – person trying to handle this type of situation 🙂

D. Consider this a bonus question / fine if you skip it. But for option 5 (linux password/pam_mount), I will admit that I am also a bit curious if my own passwords would fare any better for an attack that targets the hashes in /etc/shadow. Assuming I were to setup some dummy accounts on an old box and grab a Kali live disc, what tool(s) should I look into if I wish to attempt to see how good/bad that option is on my own? I am fairly proficient with Linux and Java but still haven’t gotten around to learning to do my own pentesting/whitehat stuff. Or if I need more knowledge than just a googling a specific linux tool, is there a book / tutorial / online course that you might recommend?

mutter – Transparent container on half screen in Ubuntu 20.04

Basically, I closed my laptop lid at night and normally it would go to sleep. But, in morning when I opened it, it didn’t started at the login screen but on the page where I left it and was unresponsive. So, I again closed and opened the lid and this time it started normally.

After signing in, I was welcomed by a nearly transparent container in the right-half of my window.

  1. It doesn’t covers the top activity bar.
  2. It doesn’t interfere with any contents or clicks
  3. xprop it gives MUTTER GAURD WINDOW
  4. going to all apps hides it.

Notable: I had created a go to desktop icon using this https://ubuntuhandbook.org/index.php/2018/10/add-show-desktop-button-ubuntu-18-10-18-04/ a few days back and it works fine. I wonder if it is creating the problem

EDIT
Looks like ‘mutter gaurd window’ was shown for anywhere on the desktop. So, the problem was like non-existent for xprop.

The problem was solved when I shrank a window by double clicking then dragged it all the way upwards the normally gives a glimpse of it getting maximised. And it removed that container too. I guess it could be an issue related to window resizing.

So, why is it happening? PS I haven’t done a reboot but wanted to know about the issue

I will do Professional Photoshop edit, high quality in 12 hours for $3

I will do Professional Photoshop edit, high quality in 12 hours

Hi,

Welcome..

I’m ready to help you and make your photos look professional.

I do Photoshop edit and Adobe Lightroom Edit.

Services includes

  • 1.Photoshop editing
  • 2.photo retouching
  • 3.Face swap
  • 4.Background removal
  • 5. Remove any person or product from photo

Your order will be ready in time with best quality.

.

I will remove background 5 images in white or transparent for $1

I will remove background 5 images in white or transparent

I am a professional Online graphic designer & image editing service Provider.

>>> Top 08 Reasons to Hire Me :

01. More Selling of products
02. Product Looking Good
03. World-class Quality
04. Cheap Prize
05. 100 % Customer satisfaction
06. 100 % Money Back guaranteed
07. Unlimited Revision
08. 24 Hours Express Delivery

>>> Services :

  • Background Remove / Background Removal
  • Change Background / Remove Background
  • White / Transparent Background
  • Clipping path
  • cutout
  • Resizing
  • Retouching ( extra prize )
  • Any Shadow creation ( extra prize )

************************
Thanks
Senith Vidmal

.(tagsToTranslate)Graphic(t)design(t)Background(t)remove(t)Adobephotoshop

seo – How much impact can implementing featurd images with transparent background have on a blog to speed up loading time?

I have seen that the featured images on the backlinko blog are a relatively small image in webp format, but without a background. The background is a gradient color. You can see this example of an article that I chose at random (click to open image in a new tab to understand what I mean).

I think this can cut a noticeable amount of kb per post. What do you think?

Also, does anyone know how I could implement it?

transactions – Receiving donations by public Bitcoin wallet ID, where to make transparent deposits?

We are a transparent NGO, so we not need secret transactions, we need to expose them…

We created a Bitcoin wallet to receive donator’s deposits there (at blockchain.info), and now we have an wallet ID. Can we expose our wallet ID to the public? Donators can use the wallet ID to make donations, or we must to use address?

We need a stable and permanent ID/address to expose our transparent donation reference.

I will remove background from image to white or transparent png for $5

I will remove background from image to white or transparent png

10 Photo Background Removal $5

I Am Providing These Services

✅ Background Removal

✅ Transparent Background

✅ White Background

✅ Change Background

✅ Image Resizing

✅ amazon product background remove

✅ remove background from image

✅ remove image background photoshop

✅remove background from photo

✅ picture background remove

✅ amazon product photo background remove

100% Client Satisfaction

Superfast Very Quickly Delivery

.

applications – Wife being shady.. bottom 1/3 of screen has grey transparent filter?

applications – Wife being shady.. bottom 1/3 of screen has grey transparent filter? – Android Enthusiasts Stack Exchange

shaders – Make part of albedo transparent

I have a shader which creates a circle inside of a plane mesh. I would like to get get rid of the parts around the circle, which are the r and b parts of the ALBEDO but I can’t seem to figure out how to do it.

The only thing I’ve managed to find is ALPHA but that changes the transparency of the entire shader and not just parts of it.

shader_type spatial;

float circle(vec2 position, float radius, float feather)
{
    return smoothstep(radius, radius + feather, length(position - vec2(0.5)));
}

void fragment() {
    ALBEDO = vec3(0, circle(UV - vec2(0), 0.5, 0.005), 0);
}

Which currently looks like:

enter image description here

How can I mask a div with transparent beneath it?

Advertising

y u no do it?

Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

Starts at just $1 per CPM or $0.10 per CPC.

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123