> OPAL SED SSD for HW based drive encryption. (Second FDE ofcourse) > USB PGP-Key for authentication and stuff., also contains (hidden) storage. > Keypad encrypted USB for hardware encrypted USB with bootfiles/keyfiles > etc.
Be carefoul about hw encryption, usualy its crap, this research showed that aes256 is actually a completly flawed implementation that uses rand and can cracked in 255 attempts=istantly "got HW crypto? On the (in)security of a Self-EncryptingDrive" https://eprint.iacr.org/2015/1002.pdf hidden storage is NOT POSSIBLE on usb or ssd you can encrypt but you can't do plausible deniability, this because of wear leveling. veracrypt manual: https://launchpad.net/veracrypt/trunk/1.19/+download/VeraCrypt%20User%20Guide.pdf also if you have sensitive files, remove the wifi card, microphone and speakers and keep it offline: internet xor encryption (imho) > Is TPM worth it? Im hearing mixed opinions... Also, I definately do not > want to put all my eggs in one basket, so would using TPM be possible in > a way that it is just one of several parts of the whole security-chain ? > I would hate it if someone has a TPM backdoor and compromises my whole > system that way, any way to design something with 2 or better yet; 3 way > authentication ? tpm it's just a chip that can store and reveal a value (usually a hash), it could be backdoored but not in a way that compromise your security in this sense: example steal keys, send things on internet. i have read that the way that bios self-verify and send hash is flawed too: it computed insecure hash over firs 64 bytes of each sector but i can't remember where i have read it and hopefully not everyone do it in that way. > What about the processor and bios? Are there any secure/open bioses that > work with recent intel processors? coreboot / libreboot but i have never tried them nor i know them, i have only read that libreboot say that it's impossible on modern cpu (intel me). > are there any other chips like these that are truly open > source, and really add some security? there are opensource hw cpu but the problem is given the source and the finished package do they match? answer: you can't prove it. it's possible with software and has been proved for truecrypt: https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analysis/ example: 1 gate added to opensource cpu = backdoored cpu activated by costantly dividing by 0, using javascript from remote also. "A2: Analog Malicious Hardware" http://static1.1.sqspcdn.com/static/f/543048/26931843/1464016046717/A2_SP_2016.pdf?token=XHNDI6aaTt1Ij2C9j%2BofnF8Fwcc%3D > What kind of laptop comes to mind when I'm asking for this kind of > features? I'm having a very very hard time finding a laptop that I can > setup in a way that would make me feel truly secure. I hope you guys can > share some advice on these matters. get one that have intel vt-x and vt-d for virtualization tpm for verified boot (but don't trust it 100%, if it say that something wrong is true, if it say that everything is fine it might not be) also second level address translation that will be required for qubes 4 if i'm not wrong > I'm using the PGP-key stick, and USB-keypad-usb as my "extra > security-weapons" are there any other reliable open source hw-security > devices out there that you guys would recommend? > Would it be possible to add say some biometric security hardware and > then have the full disk encryption work in such a way that 3 way > authentication would be needed ? hw security is probably the best, if it can be verified, if not it is probably crap (see above link for wd hhd) also check this for harware "secure" usb: https://spritesmods.com/?art=security imho you should stay with known good software like truecrypt, or if you want an updated version that might or not be secure veracrypt. and keep in mind that pysical access always win, so keep your computer safe. i don't trust SED devices at all, i wasn't sure about them but now that i have read how bad is implemented by wd i know that they are less secure than toy encryption. > Also, what would you guys recommend me to use as encryption method? > LVM-LUKS won't let me encrypt the boot partition, and it wont really > allow me to use 2-way authentication aswell. boot partition can't be encrypted, if everything is encrypted what do you boot? (but it can be stored on separate usb key for example) > I really hope we can start a discussion on these topics that will lead > to a general what-should-I-buy advice when one wants maximum security > from COTS hardware, and open software. i hope i have helped a bit, let me know if something is not clear / missing. Matteo -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/f7ff5aed-4236-8cbf-7f9f-126fb99343e2%40posteo.net. For more options, visit https://groups.google.com/d/optout.
