Blog about software development


LUKS disk encryption threat models

18 Jul 2023 - by 'Maurits van der Schee'

Any IT security measure must be evaluated in the context of a specific set of threats with context specific relevance. IT security is much like the security of the windows of a house. In a bad neighborhood of a city having steel bars in front of your ground floor windows may be considered required to prevent people from breaking in, while in the countryside having them would be considered dangerous as it would prevent you from escaping the house in case of a fire. In short: no security measure can be evaluated without the context of a set of threats.

Threat modeling

The first thing we need to do is list the threats, their likeliness and their damage. This is also called risk assessment or threat modeling, which OWASP defines as:

Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. - OWASP

I would recommend that you do (frequent) risk assessment sessions to be able to mitigate the biggest risks.

Risk assessment how-to

In a collaborative session you can let people name all threats first (and write them all down) only to score them in part 2 of the session, ending in part 3 with some (hopefully simple) action points for mitigation on the highest scoring risk or risks. A simple way to calculate a risk score would be to rank the damage from 1-5 (XS,S,M,L,XL) and the likeliness from 1-5 (XS,S,M,L,XL) and multiply those two numbers. Do strive to mitigate the risks in order, highest score first. Do these risk assessments frequently as damage and likeliness can change wildly over time and also your IT landscape may be changing rapidly.

LUKS disk encryption

I have written about LUKS unlocking via USB, SSH and HTTPS. Some people argue that unlocking in certain way is "good" or "bad", but this can simply not be said. For some companies having their desktop machines unlock over HTTPS may be ideal, while for the laptops of the same company it may not be an option. Some people are afraid of disks that break and computers that need repairs, while others are afraid of break-ins and stolen hardware. Both may require a different unlocking strategy. Some companies are afraid of spies inside the office and want to analyze reboot incidents to spot break-in attempts. Some servers in data-centers benefit from automatic remote unlocking as it minimizes downtime. Some want their unlock servers in the same data-center, while others want them cross data-center. Some want keys to be easily rolled over and backed up, others want keys to never leave the server or even stored non-exportable in a secure key storage. Some want encrypted root partitions, others encrypted home folders. As you see security measures are dependent on the context. Unlocking can be done in many different ways, whether or not the method of unlocking is appropriate depends on your context. Do a proper risk assessment and find out what method of disk encryption and unlocking fits your situation.

What about compliance?

In Europe we have the General Data Protection Regulation (GDPR). It requires that personal information that is transferred is sent over a secure channel and personal information that is "at rest" is encrypted. Single or multi-factor authentication may be required when personal information is accessed. And authorized access to personal information must be logged and be traceable to an individual human being. Applying disk encryption with a smart unlocking strategy might very well enhance your compliance and have a much lower impact than you were expecting.

If you have questions? Feel free to contact me at: maurits@vdschee.nl

PS: Liked this article? Please share it on Facebook, Twitter or LinkedIn.