35c3 Chaos West

»pam_panic - A Linux authentication module for people in distress«
2018-12-29, 11:30–11:50, Chaos West Bühne

pam_panic is an authentication module made for people who think they might get into a distressing situation where they are forced to type in or even tell the password to bad people. The idea is to use a password or a media device at a login screen which issues a destruction of the LUKS keyslots. There will be a little crash course on what LUKS is to be more clear how and why it works.

pam_panic

on github

Purposes

  • Make a LUKS encrypted filesystem inaccessible when in distress

What is the idea?

  • Have an encrypted system done by LUKS
  • Have two passwords or two media devices (One of the passwords/media devices is used for regular authentication, the other one is used for issuing a destruction of the LUKS key material slots and have a reboot/shutdown)
  • Ask for a password/media device before your regular user password

Crash course: LUKS

  • What do we need to know to get this to work?
  • How does the LUKS header look like?

Making my data inaccessible

  • Using cryptsetup luksErase

Scenarios

Scenarios where it can help:

  • Being forced to type/tell your password
  • Raids

Scenarios where it doesn't help:

  • Letting them make a clone of your hard drive, then having your password/media device forced from you

Demonstration of pam_panic

  1. Setup
  2. Show authentication password and media device
  3. Show panic password/media device and show the result of inaccessibility

Q+A

..if there's enough time.