Hi all,
please, I would like some help to the following :
I have implemented a web application on Linux that I want to deploy and sell to customers. I want to sell ready systems including the hardware. The application is written in PHP/MySQL.
What I am searching to achieve is :
1) Find a way so that filesystem and partitions to be encrypted but without the need to insert some code when rebooting. So that if someone gets out the hard disks and attach to another system, cannot have any access to my files or settings.
And of course when rebooting (e.g. after a power failure) encryption to be applied automatically.
2) I know that there are ways to bypass root password on a Linux system. Can all these ways be unassigned ? I want the only way to have access to system, to be by using the root password and nothing else.

I have thought of using a virtual server instead of a physical one (like deploying a virtualbox server) but still would like this to be the most secure possible including not only remote but also local access to system.

Please send your feedback and of course any additional ideas you might have.
Thank you very much.

Hi,

1. You might want to try cryptsetup. You can put the passphrase in /etc/crypttab to be loaded automatically when the system boot up.

2. Passwording GRUB?

Hi sibe, thanks for replying.
1) I will try cryptsetup
2) But this means that on every restart a password must be given by hand, right ? If yes, this is not what is needed.

Hi dbmits,

2. No. That means preventing anyone to get into single user mode without supplying the password.

Basically, there are 4 ways to bypass system authentication and get the root prompt for free:

1. Boot to runlevel 1 (single user mode).
How to; interrupt the boot splash screen and add an S, 1 or single to the end of the kernel line.
How to prevent; add the following line to /etc/inittab, below si::sysinit:/etc/rc.d/rc.sysinit,

ss:S:respawn:/sbin/sulogin

Now if someone is trying to boot to runlevel 1, the system will ask for the root password before giving a shell prompt.

2. Boot directly to a shell, bypassing the init process.
How to; interrupt the boot splash screen and add init=/bin/bash parameter to the end of the kernel line.
How to prevent; add a password to GRUB. From the command prompt, type this :

# grub-md5-crypt
Password: <password here>
Retype password: <password here>
$1$YzuO40$68zlZ18su5hCqm0Ifo.Nk.

then add the hash characters to the grub.conf file :

--cut--
default=0
timeout=5
password --md5 $1$YzuO40$68zlZ18su5hCqm0Ifo.Nk.
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
--cut--

Now someone trying to interrupt the boot splash will be asked for the GRUB password.

3. Boot to rescue mode using CD/DVD.
How to; change the boot order at the BIOS to boot from a CD/DVD, load the CD/DVD, reboot, and type linux rescue at the boot: prompt
How to prevent; disable boot option to load other media than the disk, and set a BIOS password to prevent anyone changing BIOS setting without supplying the BIOS password.

4. Clear/flush CMOS to reset BIOS setting.
How to; open the case and remove the CMOS battery, wait for awhile to get CMOS setting cleared out, put it back to the mainboard, load the BIOS menu and set to boot from CD/DVD, repeat step 3.
How to prevent; seal your appliance before ship it to your customers, get it welded, put some booby trap inside the case and set it to explode when someone try to open the case.

Whatever you do, don't forget the password.

Good luck.

Hi sibe, thank you.
Your help is very much appreciated.

Hi again, I have just installed a debian 6 and cannot find anywhere grub-md5-crypt.
How can I install that on system ?
Thank you.