this post was submitted on 22 Jun 2024
36 points (92.9% liked)
Linux
48372 readers
2573 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Sorry for the slow reply, life occurred.
I think I understand where you're coming from with the desired to be productive and not reinstall. I think I've been there too! One thing that I can suggest, if you do have the time, is to learn a system like Ansible and use it to setup and configure your machine. The discipline of keeping all of the config as source rather than making ad-hoc changes reduces the chance of thinking you'll make just one little change and breaking something, and, if something does go wrong, you can get back to your working configuration quickly.
Bearing in mind that there really isn't anything you can do to stop yourself if you're really determined to not lose the data, because if you can read it at any time you can back it up, the closest you are likely to come is something like creating new key with GPG then using the TPM to wrap your secret key and deleting the original. That way the key is only usable on that specific machine. Then use the key-pair to encrypt your 'guard' files. You can still decrypt them because you have the wrapped secret keys and you're on the same machine, but if you wipe the drive and lose those keys the data is gone. The TPM wrapping prevents you from taking the keys to a different machine to decrypt your data.
There's an article with some examples here,
Having said all of that, this still doesn't help if you just clone the disk as all of the data, including the wrapped key and the encrypted files will be cloned. The one difference there is that the serial number of the hard drive will be different. Maybe you could use that, combined with a passphrase as the passphrase for your GPG key, but we're getting into pretty esoteric territory here. So you could generate a secret key with a command like:
Where
/dev/sdb
is the device your root partition is on.zenity
is a handy utility for displaying dialogs, there are others available. In this use it just prompts for a passsword. We then concatenate the drive serial number fromlsblk
with the password you entered and hash the result. The hashing is really only a convenient way to mix the two without worrying about the newlinelsblk
spits out. Don't record the result of this command, but use it to set the passphrase on your newGPG
key. Wrapping the secret key in the manner the article above suggests is a nice extra step to make it harder to move the drive to another machine or mess around in that sort of way, but not strictly necessary as that wasn't in the scope of your original question.Now you can encrypt your file with:
gpg -e -r <your key name> <your file>'. That will produce an encrypted version of
called
.gpg. To decrypt the file you can get
gpg` to use the hashing command from above to get the passphrase with something like:Once you've tested that you can decrypt the file successfully you can remove the original, plaintext, file. Your data is now encrypted with a key that is secured with a passphrase made of a string you know and the serial number of your disk and optionally wrapped with a key from the TPM that is tied to your physical machine. If you change the disk or the machine the data is irretrievable (ignoring the caveats discussed above). I think that's about as close to your original goal as you can get. It's rough around the edges, and I'm not sure I'd trust my data to it, but I believe it'll work. If you do something like this, please test it thoroughly, I can't guarantee it!