Building and Evaluating a Full Disk Encrypted Secure Multi-user Operating Platform in Linux

Abstract: Security is more important than ever, and since we are storing much of our sensitive data on hard drives, the demand for security systems is high. Full disk encrypted systems where multiple users can decrypt the same hard drive using the same secret but with different credentials are not common and is something that the military and various companies demand. Therefore, this thesis has focused on building a proof of concept system with such a boot chain in Linux Debian Stretch 9.8.0 using LUKS as encryption software and GRUB 2.02 as boot loader. Apple’s FileVault2 is built with similar ideas to the proposed solution in this thesis but uses other software tools specific for macOS, thus can not be applied to Linux. The proposed solution was constructed without newer hardware that can run UEFI, TPM, and memory encryption but have in the security evaluation considered these elements. Being able to use old hardware is still requested, especially in the military. Nevertheless, the evaluation of the system was made using OSSTMM 3 that uses a metric system for evaluating security called RAV, where a score of 100 is a perfect score. It is a commonly used evaluation system worldwide, and thanks to the metric system, security comparisons become easier to do. An acquired score of 83.91 Ravs was given for the proposed solution; meanwhile, the version with the theoretically best improvements yielded 93.35 Ravs. The CVSS evaluation system was also used for classifying the severity of the most common attacks against the proposed solution. These are Evil Maid attacks, the Cold Boot attack and DMA attacks. They all obtained a severity rating of medium from the evaluation.