can i encrypt or password protect my initrd image???

raklo · 02-07-2007, 11:12 PM

hello everybody,
i've encrypted my root filesystem partition,n i can successfully boot into it.
but for this i've edited my initrd image,nd now i want to protect my initrd from eavesdropping.
can i do something on it,such that even if someone gets initrd image,they wont be able to open n look into it?????

kindly revert if u want some more details.
any input is appreciated

stress_junkie · 02-08-2007, 05:09 PM

No.

The good news is that you shouldn't need to. Hopefully you haven't put your password into the initrd. The fact that someone can analyze your initrd and see what encryption is used to encrypt your root partition should not be a security problem. As long as you have to enter a password when you boot your system before it can load the root partition then your system is as secure as is humanly possible.

raklo · 02-08-2007, 09:53 PM

that is what the main [problem is.
i havent used a password,i have used a file to store a password,and at boot time,the system wll use the filedescriptor of file to decrypt the partition,
if someone wants to decrypt my rootfs they only need to see theinit script of my initrd.img.
that is why im worried.

does this scenario have a solution??
thanx a lot for response

stress_junkie · 02-09-2007, 04:54 AM

The only secure resolution is to remove the password from the init script.

raklo · 02-09-2007, 05:38 AM

as i said,i havent used password,i have used a file.
now init script inside initrd image has basic commands that i want to hide.
this commands show how to manipulate file and decrypt the partition.
so i wanna lock initrd.img

nx5000 · 02-09-2007, 05:55 AM

Quote:

Originally Posted by raklo

hello everybody,
i've encrypted my root filesystem partition,n i can successfully boot into it.
but for this i've edited my initrd image,nd now i want to protect my initrd from eavesdropping.
can i do something on it,such that even if someone gets initrd image,they wont be able to open n look into it?????

kindly revert if u want some more details.
any input is appreciated

Probably. Put the minimal stuff on 1 initrd which decrypts a file given the encrypted key (which would be on a usbstick). Then execute this file.

Quakeboy02 · 02-12-2007, 01:32 PM

"as i said,i havent used password,i have used a file."

Can I ask you what you mean by this? Do you have a file on a floppy or a CD/DVD that you boot from or have to install during the boot process? Is that what you're talking about? If it's on the harddrive and accessed automatically during boot, then you might as well not be using encryption at all.

raklo · 02-12-2007, 09:33 PM

it is the initrd.img that i need to hide,n it is on the harddisk.
i have successfully encrypted the partition containing the rootfilesystem and system decrypts at the boot time and i hve a working system,but i want to hide my initrd.img to prevent eavesdropping.
i dont necessarily want initrd.img to be encrypted(as in that case kernel wont recognize it),
any other method,that is not very much secure,
but at least it can prevent a primary level of eavesdropping.

Quakeboy02 · 02-12-2007, 10:10 PM

"and system decrypts at the boot time and i hve a working system"

OK, technically it was probably fun. But, if it boots without you having to type in a password or plug in a dongle or put in a floppy or CD/DVD, then you don't really have any protection.

raklo · 02-13-2007, 04:32 AM

i know,but tht is wot our requirements are.
we dont want any type of human intervention after system reboots,if system prompts for password there has to be someone to put in the password.
That is why i make the system read password from afile....
i hpe ur doubt is clear

Quakeboy02 · 02-13-2007, 05:11 AM

"i hpe ur doubt is clear"

Very clear. If your password is on the system in a file, then that system is not secured.

raklo · 02-13-2007, 05:21 AM

yes ofcourse,my system is not secure.
but wot i wanted to do was that if someone gts the media,he cannot just mount it and read the contents very easily,so that is why i encrypted thesystem.
now wot i want to know is that,is there any way that i can
make the initrd.img such that it can hold on to primary level of eavesdropping.(as i cannot encrypt it also,as in that case kernel wont recognize it)

nx5000 · 02-13-2007, 06:33 AM

Quote:

Originally Posted by raklo

yes ofcourse,my system is not secure.
but wot i wanted to do was that if someone gts the media,he cannot just mount it and read the contents

He can because you just said it's not secure.. ?
If YOU don't have anything to do so that it gets unecrypted, HE won't have anything to do either, just use the same boot mechanism that provides the key.
He probably can't access the partitions without grub or initrd but if he gets the complete system.. emm he will just have to press the power button?
You need something to identifiy yourself (password, biometrics..)
I don't see what you are trying to do

raklo · 02-13-2007, 06:59 AM

my system is not inside a harddisk,but inside a compact flash,wot if someone takes the flash out of the system???
in that case he wont be able to mount the encrypted partition anyway he tries,until he sees the initrd.img
which contains the details.
so i wanna hide initrd.img somehow.
i hope i m clear now.

Quakeboy02 · 02-13-2007, 06:32 PM

"so i wanna hide initrd.img somehow."

No matter how you slice it, at some point, the password has to be entered into the booting machine. Whether that's on a thumb disk you carry in your pocket, or a USB dongle that you plug in and forget about a few months down the road, the password still has to be there to boot your machine. You can't encrypt the base encryption method.