04-03-2025, 09:50 AM
The On-the-Go Operator’s Kit
Why Pair Aegis and YubiKey?
This guide explains how to configure an Aegis Secure Key and a YubiKey with FIDO2-based full disk encryption (FDE) for high-security environments. The setup is designed for red teamers, field operators, or "anyone at risk of device seizure". The goal is to secure data at rest and minimize the window of opportunity for attackers to access an unlocked device.
By combining hardware-backed encryption, physical presence verification, and real-time access controls, this setup ensures that even if a device is seized while powered on, sensitive data remains protected.
What I Recommend
- Aegis Secure Key – Hardware-encrypted USB drive with AES-256 XTS encryption, PIN entry, self-destruct, and brute-force protection.
- YubiKey (FIDO2) – A hardware token used for passwordless authentication, LUKS unlocking, SSH, sudo, PAM, and OTP.
Alternatives
- Hardware-Encrypted Storage: Kingston IronKey, Kanguru Defender, etc.
- Authentication Devices: SoloKey, Nitrokey, OnlyKey (open-source FIDO2 options).
1. Configuring Aegis Key
- Enable Admin/User modes, self-destruct PIN, read-only mode, and brute-force protection.
2. Installing Ubuntu on Aegis Key with FIDO2 FDE
- Boot into a Ubuntu Live environment and install to the Aegis Key.
- Choose LVM with full disk encryption, using a temporary passphrase.
- Required Packages
Spoiler Spoiler
- Enroll YubiKey with FIDO2
sudo systemd-cryptenroll --fido2-device=list
sudo systemd-cryptenroll /dev/mypart --fido2-device=autoAdditional Steps
- Update crypttab
- Configure dracut
- Remove the initial passphrase after ensuring FIDO2 works.
3. Enforcing Non-Persistence, Updating, and Recovery
A. Enable Non-Persistence (overlayfs + Dracut)
- Create an overlay module (module-setup.sh & overlay.sh).
- Make the system RAM-only to ensure no data is stored on shutdown.
B. Updating Your Kit
- Temporarily disable overlay by modifying GRUB boot options.
- Run:
sudo apt update && sudo apt upgrade
sudo dracut --force- Re-enable non-persistent mode.
C. Recovery from Boot Failures
- Boot into a Ubuntu Live session.
- Unlock the disk and chroot into the system.
- Restore configuration and rebuild dracut.
4. Preventing a Ross Ulbricht Situation (Live Kill Mechanisms)
These mechanisms automatically shut down or wipe RAM when an attack is detected.
A. USB Removal = Shutdown
Identify the USB:
lsusbACTION=="remove", SUBSYSTEM=="usb", ATTRS{idVendor}=="XXXX", ATTRS{idProduct}=="XXXX", RUN+="/usr/local/bin/usb-kill.sh"#!/bin/bash
logger "Trusted USB removed. Initiating shutdown..."
/usr/sbin/poweroffApply changes:
sudo chmod +x /usr/local/bin/usb-kill.sh
sudo udevadm control --reload-rules && sudo udevadm triggerB. Clear RAM on Shutdown
Modify GRUB:
sudo vim /etc/default/grubAdd:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash shutdown=halt+reboot"sudo update-grubC. Enable TME in BIOS
- Enable Total Memory Encryption (TME) in BIOS.
- Disable Sleep, Hibernate, and Fast Boot.
D. Bluetooth Fob Trigger (Proximity Kill)
Install Bluetooth tools:
sudo apt install bluez pulseaudio-module-bluetoothScan for the MAC address of your Bluetooth device.
bluetoothctlCreate a shutdown script (/usr/local/bin/bt-proximity-kill.sh):
#!/bin/bash
DEVICE_MAC="AA:BB:CC:DD:EE:FF"
if ! hcitool name "$DEVICE_MAC" > /dev/null; then
logger "Bluetooth out of range! Shutting down."
/usr/sbin/poweroff
fi
bashEnable the service:
sudo systemctl daemon-reexec
sudo systemctl enable --now bt-watch.serviceE. Lid-Close = Shutdown or Lock
Modify systemd logind.conf:
sudo vim /etc/systemd/logind.confAdd:
HandleLidSwitch=poweroff
Restart systemd-logind:
sudo systemctl restart systemd-logindConclusion
Spoiler Spoiler