Lib.rs

Filesystem
#disk #encryption #linux #secure #luks #utility

app syslock

Convenient yet insanely secure linux filesystem encryption utility

by malwrar

1 unstable release

0.1.0 Feb 4, 2021

#7 in #luks

Unlicense

4KB

syslock

Convenient yet insanely secure linux filesystem encryption utility.

If you want to try to break syslock, check out auditing. Accepting contributions!

Traditional Linux full disk encryption by way of LUKS only covers one partition and is fairly hard work with for seemingly common use-cases. Syslock fixes this by introducting an opinionated approach to encrypting a filesystem that can:

  • Blur the line between lock screen and power-up disk decrypter.
  • Be completely deniable.
  • Suspend effortlessly to ram or disk.
  • Encompass multiple partitions.
  • Onboard existing partitions while preserving original content.
  • Expand later to include more partitions.
  • Use TPMs to prevent filesystem from being unlocked on unapproved systems.

Plain-english commands and safe defaults mean that things are easy to grok and pretty hard to screw up unless you pretend you know what you're doing and use flags. The defaults will protect a single partition in a discoverable fashion, flags will let you be more secure but possibly destructive or user-unfriendly.

Includes an initramfs applet that implements suspend-on-lock, where ram is suspended to disk when the screen is locked by implementing lockscreen as initramfs applet. Also includes a system daemon to manage locking on suspension or poweroff.

Might build a bootloader in the future to protect multiple operating systems with all the above advantages.

Basic usage

////////////////////////////////////////////////////////////////////////////////

  • syslock protect <fs> --partition /dev/sda1 --swap /dev/sda2 --wipe --deniable - Create/edit an encrypted filesystem to include partiton /dev/sda1, securely wiping the original contents and ensuring any generated metadata cannot be detected on-disk w/o the filesystem passphrase. Also add swap partition /dev/sda2 to be secured by the encryption.
  • syslock unprotect--partition --wipe - Remove an unmounted partiton from an encrypted filesystem, irrevocably wiping its contents forever.
  • syslock ls --with-pass - List any filesystem unlockable with a password.
  • syslock lock - Suspend any running filesystems to ram (or disk, if configured and you're not in a hurry).
  • syslock unlock <fs> - Unlock an encrypted filesystem, resuming it from disk if it has been suspended.

All flags optional, feel free to leave out any if you want the no-op or safer default.

No runtime deps