First of all, how much data are you working with? One notion would be to get a USB memory watch. Use a short extension so you can plug it in without taking it off then it is always on you.
To follow the original plan is going to be tricky but we'll see if we can bash something out.
Quote:
|
Once in a while the Laptop will get left behind without supervision. The risk of getting it stolen is acceptable, but unauthorized access to the data on it is not.
|
That pretty much mandates encryption. If you build something on disk encryption then the key has to remain in the laptop's memory while the partition is mounted. Handily this means the smart card is only required when the partition is actually mounted so you can pull the card out and carry on working.
The problem, as you implied earlier, is having the laptop become aware that it should unmount the partition automagically and correctly render all of the protected data unavailable. A particular problem would be if you were working on a document when this script fired. Simply unmounting the encrypted partition is not enough because the running app still has an unencrypted copy in memory that can be saved anywhere. (this affects the usb watch idea too)
A relatively simple way to do this would be to hook the lid switch to a suspend script. Encrypting the resume partition will protect the key used to mount the data partition and the smart card can hold the key for the resume partition, preventing a recovery unless it was present.
Whenever you leave the laptop you can close the lid and everything will lock down, then you plug in the card, switch it back on and then put the card back in your pocket once the system is running again. This suspension could probably be tied to the proximity keyfob from my previous post, but I don't think it gains much.
The only remaining problem is the suspended system may be vulnerable to a
cold boot attack up to several minutes after you close the lid.
If you wanted a slicker approach then while researching this I found a really interesting app called
cryopid that effectively suspends single processes. Instead of suspending the whole system you suspend any processes that have open files on the protected partition. Save the process images to the protected partition and then unmount it. Getting your work back simply means re-mounting the partition (with the smart card) and restoring the suspended processes. Something that, at least at first glance, looks scriptable too.
This would be a very surgical approach, and restore time should be reduced, but I've never heard of this being tried so I don't know how robust the results would be and you'd have to do a lot more setup and coding yourself. On the other hand, explicitly unmounting the drive should discard the key from memory, protecting you from a cold boot attack.
Personally I'd take the full suspend approach. It's built on standard features so you reduce the chance that something important will break during an update. Trade a little convenience for a lot of security and get into the habit of closing the lid when you leave it.
The hard parts are setting up the encrypted partitions, which is covered in numerous howtos, and getting cryptsetup to look to your smartcard for a key which should be easy enough as long as the smartcard reader is supported.
Let us know what you think,
Chris...
Linear Mode
