LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-07-2004, 06:44 AM   #1
joulupukki
LQ Newbie
 
Registered: May 2004
Posts: 11

Rep: Reputation: 0
Question encrypting root partition


hi, i would like to encrypt root partition the way that it would only open in my onlyone laptop,
and without asking a password. with example md5 hash from macs or public key, and if someone takes my hd, so it wouldn't open at all. and i dont want to put any password question on boot.
So is it possible?
 
Old 05-07-2004, 09:07 AM   #2
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
I don't know of a specific mechanism.

Thinking through through the logic of what you want, you would need to hold the "secret" (e.g. public key, hash) somewhere that was physically on your laptop but not on the hard drive.

The only way I can think of doing it is to have a mini-distro on a diskette or USB flash key. Then you could boot off that and use it to bootstrap your main disk.
 
Old 05-10-2004, 03:36 AM   #3
joulupukki
LQ Newbie
 
Registered: May 2004
Posts: 11

Original Poster
Rep: Reputation: 0
so there is no way to use example some bootup script before root mount to detect the key and mount the root with that one?
 
Old 05-10-2004, 04:27 AM   #4
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Quote:
Originally posted by joulupukki
so there is no way to use example some bootup script before root mount to detect the key and mount the root with that one?
What extra security would that give you? How would it make it harder for an attacker to get access to your computer?
 
Old 05-10-2004, 04:59 AM   #5
joulupukki
LQ Newbie
 
Registered: May 2004
Posts: 11

Original Poster
Rep: Reputation: 0
well, it's a long story, but in short, the machine will be on other peoples hands and i dont want that they take the hd and mount it some other machine and read my secret stuff.
 
Old 05-10-2004, 07:51 AM   #6
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
OK, but I think you're missing my point.

If you have a key on the hard drive, and it isn't password protected, that key will still be there whoever boots up the computer. If someone else has it, what stops them mounting your encrypted partition? If they've got the disk, they've got the key and since there's no password, what can you do?

For this to work, you need to protect the key so no-one else can get it. That means either using a password or having it physically separate from the computer so you can give someone else the computer and keep the key.

If you want to avoid someone reading your secret stuff, why not just encrypt your files; or have an encrypted partition? They would need a password or pass-phrase to decrypt but it is easy and safe.
 
Old 05-10-2004, 09:27 AM   #7
esben
Member
 
Registered: Jun 2003
Location: Copenhagen, Denmark
Distribution: Gentoo
Posts: 48

Rep: Reputation: 15
Dunno if it will help, but this is where I would look for the answer:

Google's HOWTO encrypted root fs + swap fs

You would need, of course, somewhere where the key is stored. Like an usb dongle or something.
 
Old 05-11-2004, 04:31 AM   #8
joulupukki
LQ Newbie
 
Registered: May 2004
Posts: 11

Original Poster
Rep: Reputation: 0
so it seems that it's not possible to do a system with one encrypted fs the way it would boot only in one machine,without asking a password.. maybe i then need do that bootup partition and a script there to detect hardware example and then automount the other encrypted system if hardware is correct, example.
 
Old 05-11-2004, 04:54 AM   #9
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Quote:
Originally posted by joulupukki
so it seems that it's not possible to do a system with one encrypted fs the way it would boot only in one machine,without asking a password..
It is possible, just totally insecure and since security is what you are trying to achieve...

Quote:
maybe i then need do that bootup partition and a script there to detect hardware example and then automount the other encrypted system if hardware is correct, example.
That is an option; but how will you stop an attacker from editing your script so it allows boot-up on their hardware?

What it comes down to is that you need a key to unlock the encrypted disk. What you are doing is like locking your front door with a key, then leaving the key under the mat, just hoping that no burglar notices.

A key needs to have one (or more) of three properties :
- something you know (and keep secret) such as a password
- something you have (and no one else has) such as a smart card
- something you are (and no-one else is) like your fingerprint or retina

The keys you are proposing are something you have - a file on your computer. The problem is that the key, along with any script, must be unencrypted so anyone who has the hard drive will also have them, so they fail as a good key.
 
Old 05-11-2004, 06:24 AM   #10
joulupukki
LQ Newbie
 
Registered: May 2004
Posts: 11

Original Poster
Rep: Reputation: 0
well, if the first is possible then how to execute example c-script to do it before root is mounted?
that is the next big question.. becouse i dont want to enter that password by hand,and i want it to be bootable only in my machine.
 
Old 05-11-2004, 01:00 PM   #11
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Quote:
Originally posted by joulupukki
well, if the first is possible then how to execute example c-script to do it before root is mounted?
that is the next big question.. becouse i dont want to enter that password by hand,and i want it to be bootable only in my machine.
But it won't do what you want : it won't stop someone booting your disk from different hardware by editing the script, so why do it?
 
Old 05-11-2004, 06:38 PM   #12
x12344321
Member
 
Registered: Jan 2004
Distribution: Slackware 10.0|Damn Small Linux|NetBSD|Debian
Posts: 46

Rep: Reputation: 15
you all are missing a point here...... besides the absolute stupidity of having a boot script do it for you, how the hell would you run it if your rootfs is encrypted?

a good way to do it is to store the key (or the script) on a floppy..... but for even more security you do that hardware checking thing, and then burn it to a read only cd, and have it detect a serial or something on the cd...

an even better alternative is to burn all your secret stuff to a cd (or zip disk, tape drive, blah blah......) and delete it frome your hard drive using shred(1) or some other thing that accomplishes the same thing....
 
Old 05-12-2004, 02:07 AM   #13
joulupukki
LQ Newbie
 
Registered: May 2004
Posts: 11

Original Poster
Rep: Reputation: 0
the point of this is simple. my laptop goes to other company in use, with normal use for a while. i have there root owned stuff i dont want them ever to see, so i can't give them the key. and i cant give them also an option to mount the hd and then read them, and in this situation my point is clear, like i told in my first post. there is no cdrom nor floppy in my laptop also(dell x300). And that is exactly the problem, how to run that script or something,without seperated boot partition that mounts the encrypted. some say it is possible, some say it's not.
 
Old 05-12-2004, 02:46 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,709
Blog Entries: 54

Rep: Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966Reputation: 2966
i have there root owned stuff i dont want them ever to see
If it shouldn't leave the firm, encrypt it and put it on network storage. Otherwise move stuff, put it on a separate encrypted partition. If it's a few files, tar 'em up, then GPG encrypt. If that doesn't do it you better give clear examples why not. The way you keep looking at this single "solution" to your problem, that's not gonna work. Like all the other ppl told you.

Last edited by unSpawn; 05-12-2004 at 02:48 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
root partition gets full when using cp -a on another partition timsch75 Linux - General 2 10-02-2005 07:41 AM
Encrypting filesystem ImpactDNI Linux - Security 3 03-26-2005 11:53 AM
Encrypting backups beaucoup Linux - Security 11 11-24-2003 09:09 PM
Encrypting Question Bd22 Linux - Security 1 07-11-2003 10:26 PM
encrypting im1crazyassmofo Linux - General 1 04-20-2003 10:15 PM


All times are GMT -5. The time now is 02:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration