LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   prevent mounting partition using Live CD (http://www.linuxquestions.org/questions/linux-security-4/prevent-mounting-partition-using-live-cd-669292/)

Andy Alkaline 09-11-2008 02:53 PM

prevent mounting partition using Live CD
 
Is there a way to lock down hard drive partitions when shutting down a system? Essentially I'm looking for a way to prevent a hd partition from being mounted after simply booting with a Live CD. I'm referring to any partition, including my primary root partition. Of course I'd need it to mount on my next boot.

win32sux 09-11-2008 02:56 PM

Quote:

Originally Posted by Andy Alkaline (Post 3277508)
Is there a way to lock down hard drive partitions when shutting down a system? Essentially I'm looking for a way to prevent a hd partition from being mounted after simply booting with a Live CD. I'm referring to any partition, including my primary root partition. Of course I'd need it to mount on my next boot.

Have you considered encrypting your hard disk and booting from removable media? It would achieve your goal.

Another option could be to disable CD-ROM booting in the motherboard's BIOS.

Andy Alkaline 09-11-2008 09:06 PM

How would I encrypt an existing partition? On slackware, I downloaded and built truecrypt, but it seems that it can't be used for the purpose you described.

I've also considered your other recommendation about disabling the ability to boot from a CD in the BIOS. I haven't ruled out that option yet.

win32sux 09-12-2008 12:17 AM

Quote:

Originally Posted by Andy Alkaline (Post 3277831)
How would I encrypt an existing partition? On slackware, I downloaded and built truecrypt, but it seems that it can't be used for the purpose you described.

I've never done full disk encryption so I wouldn't be the right person to elaborate on that. I did read an article in Linux Journal magazine about this a few years ago, though, and it seemed pretty straight forward. I'm sure you could find other tutorials if you do a quick Google. Any particular reason why you need to encrypt an existing filesystem? I'd just copy the data to a separate partition/media then copy it back into the encrypted partition and then nuke the unencrypted copy from orbit.

Andy Alkaline 09-19-2008 06:27 AM

Quote:

Originally Posted by win32sux (Post 3277975)
Any particular reason why you need to encrypt an existing filesystem?

Same reason I'd password protect grub. :) Mounting a partition without a password would be pretty much the same thing as allowing someone to pass init=/bin/bash to the kernel using grub.

So to answer your question: just a security precaution. If there was a way, I wanted to know about it. Thanks for the tips win32sux, good leads. Have a Linux day.

win32sux 09-19-2008 02:39 PM

Quote:

Originally Posted by Andy Alkaline (Post 3285480)
Same reason I'd password protect grub. :) Mounting a partition without a password would be pretty much the same thing as allowing someone to pass init=/bin/bash to the kernel using grub.

I think you misunderstood my question. What I was asking was if there was some reason you couldn't copy the data somewhere, then set up the encrypted partition, and then copy the data back to the newly-created encrypted partition (then nuking the copy). I asked this because encrypting a partition with data already on it is a different process than setting up a fresh, empty encrypted partition.

Andy Alkaline 10-21-2008 02:30 PM

Sounds like I did misunderstand your question. What you elaborated there makes perfect sense to me now, however, and seems like a good option.

Before I started this thread, I thought maybe simply using cryptdir would be a solution. But even after making sure all my packages (Slackware 12.1) were up to date, I get this message
Code:

~$ cryptdir tmp/
Password:
Again:
send: spawn id exp4 not open
    while executing
"send "$passwd\r""
    ("foreach" body line 19)
    invoked from within
"foreach f [glob *] {
    # strip shell metachars from filename to avoid problems
    if {[regsub -all {[]['`~<>:-]} $f "" newf]} {
        exec mv $f $newf
        ..."
    (file "/usr/bin/cryptdir" line 39)
~$

I won't trouble you or anyone for a solution right now; cryptdir isn't something I require at present.


All times are GMT -5. The time now is 11:35 AM.