[liberationtech] Linux distribution on encrypted USB?

The Doctor drwho at virtadpt.net
Thu Sep 12 09:12:27 PDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/11/2013 03:20 PM, Moon Jones wrote:

> one large encrypted space. So the packs added are put inside the 
> encrypted drive. I'd say the libs and executables are fine out in
> clear,

For folks that have not yet gone poking around inside a copy of TAILS
installed on a USB key, Moon refers to the contents of the file
filesystem.squashfs, which contains the guts of TAILS (the Debian
install and basic configuration files).  You can list the contents of
it with the following command:

[drwho at windbringer live]$ unsquashfs -ls filesystem.squashfs | less

It is worth noting that, if an unprivileged user can list the contents
of the file, an unprivileged user (an attacker) can potentially unpack
the contents of the file, tamper with them, and then repack them.  I
do not know if there are any measures to detect alteration of this
file when TAILS boots, I haven't taken the time to go poking around
inside the initrd.img or initrd2.img files (used by the kernel when
TAILS boots) to see if there is anything of that sort.  A cursory
examination of the contents of the syslinux/ directory does not show
anything of that sort.

> but the configs should be on the encrypted drive. Along with
> something

Some of the system's configuration are.  If the user runs `apt-get
update` on a running copy of TAILS, the data will be stored in the
encrypted partition in the apt/ directory.  CLAWS configs are stored
in claws-mail/.  The live-persistence.conf file has me somewhat
curious; it is a text file which maps directories in the running
system to subdirectories of the encrypted partition.  For example:

/home/amnesia/Persistent	source=Persistent

Where "source=Persistent" seems to reference a directory called
Persistent/ in the root of the encrypted partition.  It seems possible
that one could edit this file to add additional lines to this file
which would cause some number of files in other directories to be kept
here instead (/etc, perhaps).  I haven't tried this, but it seems like
a useful experiment to carry out.  A little poking around on the TAILS
website did not reveal anything specific to that file, but I didn't
look terribly hard.

> like tripwire data, or at least some fingerprints and a file list
> to confirm the libs haven't turn against you overnight.

AIDE would be ideal for this, one would think.  It is much more
lightweight than Tripwire, and could be set to run at boot or login time.

> Yes. I did the same upgrade and it worked in an instant. I was so
> happy everything was ok. If I recall well, only three upgrades can
> be done, than I'll have to migrate the data by hand. Anyway, going
> from 0.19 to

Was this experience, or is it documented anywhere?

> Only that on an older than Tails 0.17 I fired up Synaptic and did
> some «cleanup», removing everything I did not want. Than I put some
> software I needed. And in the end I have broken the whole distro. I
> did nothing exotic. I have not add foreign repositories. And it did
> not work. So I'm trying to avoid customising Tails for every day
> use.

TAILS does seem to be somewhat problematic in this respect.  For
example, I tried to install a couple of Firefox plugins that I find
very useful (Scrapbook and Calomel-SSL, if anyone is interested) and
they didn't persist across reboots.  A little irritating, but perhaps
it's for the best.

> I was thinking for my everyday system portable from one computer
> to another without touching the installed hard drive. The config
> is different. And I'm afraid to break stuff.

This makes me wonder just how much abuse TAILS can really take before
it breaks down...

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"No other race in the universe goes camping.  Celebrate your
uniqueness." --Jack Harkness

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIx5+sACgkQO9j/K4B7F8FfGgCdENnIdiRkXuDLFHvjP/kDLdRs
bp4An3A+keDdMDUyiK6VALoG8EYomJtM
=byVf
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list