LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-28-2008, 07:57 AM   #1
prodonice
LQ Newbie
 
Registered: Sep 2003
Location: Metro Philadelphia
Distribution: Red Hat/Fedora
Posts: 5

Rep: Reputation: 0
Exclamation Secure Boot


I'm using DMcrypt to secure the hard drive, but the boot sector can't be encrypted, as this will not let me boot. What is the most secure way to boot into RedHat? I don't want anyone to be able to use single-user to bypass any security settings. My goal is to use open source so data on a system that is not accessible by unauthorized folks, even if they are physically at the machine or remove the hard drive.

Thanks!
 
Old 10-28-2008, 12:35 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by prodonice View Post
I'm using DMcrypt to secure the hard drive, but the boot sector can't be encrypted, as this will not let me boot. What is the most secure way to boot into RedHat? I don't want anyone to be able to use single-user to bypass any security settings. My goal is to use open source so data on a system that is not accessible by unauthorized folks, even if they are physically at the machine or remove the hard drive.
Separate the boot process from the hard disk (boot from removable media instead).

It's the only way you can have your entire hard disk encrypted (unless you have some fancy BIOS).

You can get an idea of what this involves by reading this article.

Last edited by win32sux; 10-28-2008 at 12:37 PM.
 
Old 10-28-2008, 01:16 PM   #3
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,769

Rep: Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614
Quote:
Originally Posted by prodonice View Post
I'm using DMcrypt to secure the hard drive, but the boot sector can't be encrypted, as this will not let me boot. What is the most secure way to boot into RedHat? I don't want anyone to be able to use single-user to bypass any security settings. My goal is to use open source so data on a system that is not accessible by unauthorized folks, even if they are physically at the machine or remove the hard drive.

Thanks!
Take a look at TrueCrypt (http://www.truecrypt.org). It lets you encrypt the entire disk, including boot. Very solid, and great encryption and speed.
 
Old 10-28-2008, 01:45 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by TB0ne View Post
Take a look at TrueCrypt (http://www.truecrypt.org). It lets you encrypt the entire disk, including boot. Very solid, and great encryption and speed.
If you use TrueCrypt and boot from the hard drive itself, the TrueCrypt boot loader isn't encrypted, and it can be tampered with and used to steal the key from you. Regardless of which encryption solution you use, you're still gonna need to boot from separate media if you really want your whole drive to be encrypted. With whole disk encryption, you really shouldn't even have a /boot at all on the hard drive (or a boot loader, for that matter).

Last edited by win32sux; 10-28-2008 at 01:47 PM.
 
Old 10-29-2008, 01:11 PM   #5
prodonice
LQ Newbie
 
Registered: Sep 2003
Location: Metro Philadelphia
Distribution: Red Hat/Fedora
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks for the feedback! I'm also going to try a 3rd party hard drive that has full encryption via an embedded chip. I haven't been able to find a way to really lock down a system from someone who has physical access to it... This is quite a challenge.
 
Old 10-29-2008, 01:36 PM   #6
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,769

Rep: Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614Reputation: 2614
Quote:
Originally Posted by prodonice View Post
Thanks for the feedback! I'm also going to try a 3rd party hard drive that has full encryption via an embedded chip. I haven't been able to find a way to really lock down a system from someone who has physical access to it... This is quite a challenge.
Indeed it is. Even with proprietary software like Pointsec, an administrator (with the right codes/phone #'s), can gain access to a resource. The best you can hope for is to lessen the risk...thin-client machines worked well for alot of our needs here, and we can provide Linux/Windows desktops, without USB/optical devices everywhere. A 'real' computer is more difficult. We've used a combination of stuff here, with good success, but it's never perfect.

Good luck.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
My Personal Suggestion For A Vista/linux Easy And Secure Dual Boot DOTT.EVARISTI Linux - Software 2 07-18-2007 02:10 AM
how can I secure my nis server ?can I use openSSL to secure it form sniffing ? abhi_raj Linux - Networking 1 07-10-2006 06:19 AM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM
Secure email (SSL vs. secure authentication) jrdioko Linux - Newbie 2 11-28-2004 01:39 PM
Mandrake 9.2 secure boot ends with black screen twbutler Mandriva 15 06-25-2004 05:11 PM


All times are GMT -5. The time now is 07:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration