LUKS Passphrase Management Functionality is Compromised on USB sticks
Issue:
"Change passphrase" updates the LUKS key slot to the Persistent Storage. This is insufficient to ensure data confidentiality were the old passphrase compromised. Here's why:
Cryptsetup FAQ 5.19 What about SSDs, Flash, Hybrid and SMR Drives?
The problem is that you cannot reliably erase parts of USB Sticks, mainly due to wear-leveling and possibly defect management and delayed writes to the main data area.
However, for LUKS, the worst case is that key-slots and LUKS header may end up in these internal pools. This means that password management functionality is compromised (the old passwords may still be around, potentially for a very long time) and that fast erase by overwriting the header and key-slot area is insecure.
What to do?
If you trust the device vendor (you probably should not...) you can try an ATA "secure erase" command. That is not present in USB sticks though.
If you can do without password management and are fine with doing physical destruction for permanently deleting data (always after one or several full overwrites!), you can use plain dm-crypt.
Proposed Solution:
Add link to "Change Passphrase" dialog:
- Secure your Persistent Storage from a weak or suspected compromised passphrase.
- Secure your Persistent Storage after a compromised passphrase.
- If you suspect your old passphrase is weak or compromised, click here.
The link would lead to this info, but paraphrased to the new context:
To secure your Persistent Storage:
We recommend you migrate your entire Tails to a different USB stick and destroy your old Tails USB stick (or at least securely delete the entire device).
If you don't, the previous compromised LUKS keyslot data might still be written in some recovery data on the USB stick and could be recovered using advanced data forensics techniques.
Click to Display Instructions to migrate your Tails to a new USB stick:
Plug in the new USB stick.
Choose Applications ▸ Tails Cloner.
Turn on the option Clone the current Persistent Storage below the option Clone the current Tails.
Make sure that the new USB stick is selected in the Target USB stick menu.
To start the cloning, click on the Install button.
Enter a 5 random words or more passphrase for the Persistent Storage on the new USB stick in the Passphrase text box.
Enter the same passphrase again in the Confirm text box.
Click Continue.
Read the warning message in the confirmation dialog.
Click Delete All Data and Install to confirm.
Cloning takes a few minutes.
The progress bar usually freezes for some time while synchronizing data on disk.
Further Improvements:
-
Migration steps 1 through 4 can be replaced by calling tails-installer --backup
(#20044 (closed)) after selecting "Secure your Persistent Storage". -
Decide if opening a window is better than a web link, since the instructions are short and most repeat steps in the link !1305 (merged) adds to the tails-installer --backup
window. -
Motivation must be given before launching Tails Cloner why they must migrate to a new Tails USB by making a backup with a new passphrase and destroy (or secure erase) their current Tails USB stick. - The two sentences below "To secure your Persistent Storage:" are sufficient info.
-
We could highlight or click the link or show the warning/info window above if the entropy estimate of the old passphrase is weak. (3 words or less.) -
#19714 should be extended to give a suggestion in Tails Cloner's passphrase dialog as well. -
Mark the current Persistent Storage with a persistent startup warning after migrating to a new Tails saying "This USB stick has a compromised Persistent Storage passphrase and you should destroy it (or at least securely delete the entire device)." - We could make the vulnerable Persistent Storage read-only so they don't write more data to it (unless we get #19874 which secures new writes).
-
On first start of the migrated Persistent Storage, we could prompt the user to plug in their compromised Tails USB stick for secure deletion (followed by their optional physical destruction).
Expected Benefits:
- Our personas are don't know changing their passphrase won't fully restore data confidentiality after the old one is compromised.
- The link will prevent data breaches by informing users how to defend against advanced attackers after passphrases are stolen.
- It will become easier to choose a strong new passphrase by showing a suggestion during migration with Tails Cloner.
- Start up prompts prevent using the compromised Tails USB stick after migration and remind to Secure Erase (and optionally destroy) the old USB stick.
Assignee:
I can write MRs for some or all of this if @sajolida looks this over to give the best UX approach to the problem.