Lennart: Linux runs out of disk encryption, authenticated boot security
Most Linux distributions currently fail to provide adequate security around full disk encryption and authenticated boot. Prominent Linux developer Lennart Poettering even claims that your data is “probably more secure if stored on current ChromeOS, Android, Windows, or macOS devices.”
Senior systemd developer Lennart Poettering today wrote a lengthy blog post on the state of bootable and authenticated disk encryption in Linux. While many Linux distributions offer full disk encryption, offer UEFI SecureBoot, and have started adopting TPMs, many technologies are not yet used to their best potential, especially now by default / out of the box.
Lennart’s brief summary of the situation is as follows:
Linux has supported Full Disk Encryption (FDE) and technologies such as UEFI SecureBoot and TPMs for a long time. However, the way they are configured by most distros is not as secure as it should be and, in some ways, quite downright odd. In fact, right now your data is probably more secure if it’s stored on current ChromeOS, Android, Windows, or macOS devices, than on typical Linux distributions.
In his blog post, he describes current technologies, issues, and areas for improvement to improve authentication and provide better security.
Some pull requests are pending such as systemd for better security enhancement so the job still needs some time to be upstream but it will also depend on the linux distribution providers to start using these features also when they become available. See Lennart’s blog for all the interesting technical details and current Linux shortcomings.