Forward Secure Sealing (FSS) is finally coming to +systemd
's journal. FSS allows us to cryptographically "seal" the system logs in regular time intervals, so that if your machine is hacked the attacker cannot alter log history (but can still entirely delete it). It works by generating a key pair of "sealing key" and "verification key". The former stays on the machine whose logs are to be protected and is automatically changed in regular intervals (and the previous one securely deleted), the latter should be written down on a piece of paper or stored on your phone or some other secure location (that means: not on the machine whose logs are to be protected). With the verification key at hand you can verify the journals on the machine and be sure that -- if the verification is successful -- log history until the point where the machine was cracked has not been altered a posteriori.
What is this all good for? Attackers tend to hide all the traces of their break-in on sucess, to make sure the administrator doesn't notice it. Usually this means they carefully edit the log files and remove all traces of log events they themselves generated leaving everything else around, so that the administrator doesn't get suspicious. With FSS enabled this will become much harder: the attacker cannot hide his traces anymore. He can still delete all log files entirely but this is something the administrator would much more likely notice.
Traditionally this problem has been dealt with by having an external secured log server to instantly log to, or even a local line printer directly connected to the log system. But these solutions are more complex to set up, require external infrastructure and have certain scalability problems. With FSS we now have a simple alternative that works without any external infrastructure.
Of course, writing down the verification keys is not too much fun (even though we actually tried hard to make it very short) hence to simplify this we added a little gimmick for you and show a QR code on the terminal so that you can simply scan it off the screen and store it on your phone.
FSS is based on "Forward Secure Pseudo Random Generators" by Bertram Poettering at the Royal Holloway/University of London, who is a cryptography postdoc and researches these kind of things. (He also happens to be my brother...) A paper about FSPRG will be published shortly.
This will soon be available in F18.
Anyway, for now I'll leave you with a screenshot of the key generator tool with the QR code... Neat, right? ;-)
The code is all available in systemd git already.
I'll post a longer blog post with more details and explanations soonishly.
(Oh yeah, the QR code on this screenshot has black stripes on it. It's VTE's fault. It shouldn't negatively impact the readability of the QR code: https://bugzilla.gnome.org/show_bug.cgi?id=435000