Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have important confidential data that I'd like to protect for example in case the computer holding it is stolen.
I've read some info about encryption and I have a vague recollection of reading an encryption example where someone was asked to provide a key at boot time in order to have access to certain data.
I am thinking of something similar where only the encrypted data exist on the computer and is only accessible if the machine was provided with a key at boot time, in other words the key is lost when power is turned off and the data becomes useless to anyone not having the key.
Is this scenario realistic? And if it is could someone explain the steps involved or point to suitable links for someone with only a basic understanding of encryption?
I'd like to automate this process and include these steps in a program. The data involved is forms returned through HTTPS.
Originally posted by rblampain Is this scenario realistic? And if it is could someone explain the steps involved or point to suitable links for someone with only a basic understanding of encryption?
Yes. Search the forums for encrypting hard drives. There is usually at least two posts per week on the subject, so finding information shouldn't be any problem.
As far as providing the key at boot time, that's up to you. That setup will be more difficult to get up and running and if you ever forget the key, you are totally hosed. The easier solution is to seutp a partition that is encrypted (e.g. /dev/hda6), not the entire drive. Than you can store all sensitive data on that partition. You will have to provide the key in order to mount the device, so you don't lose any security there, and if you lose the key, you aren't hosed.
Quote:
Originally posted by rblampain I'd like to automate this process and include these steps in a program.
Which process? If you automate mounting of the drive, than you will need to have the key stored in a file somewhere and you lose all security provided by the key. Automating mounting of the drive makes little sense in most cases.
Thanks TruckStuff. I'll investigate as you suggested.
Will I easily find clarification of you comment (reproduced below) concerning option that allow us to survive the loss of the key and those that don't? The option that would allow survival after the loss of the key seems to defeat our purpose.
<<<You will have to provide the key in order to mount the device, so you don't lose any security there, and if you lose the key, you aren't hosed.>>>
The option that would allow survival after the loss of the key seems to defeat our purpose.
How so? What, exactly, is your purpose? Confidentiality, Integrity, ... ?
I also think you two are talking about two different kinds of survival.
If you lose the key (in the example where (only) a partition for sensitive data is encrypted), you can't access the data on the partition, but the rest of the system won't be affected.
If you lose the key in the first example (that is, encrypt the *entire* disk), you won't even be able to boot the system (or at least, it wouldn't be terribly useful).
Of course, if your business depends on that data, you're hosed in both cases of losing the key. Conclusion: don't lose the key
The purpose is confidentiality. When I talk about automating the process, I'm talking about the encryption process, not the entering of the key at boot time.
I'm confusing you when I say the key should be lost when power goes off, I should have said that the key should be kept in memory, even if it's a file in a ramdrive, so that disconnecting the power makes the key disappear and render the data useless to anyone who doesn't have the key.
I've started another thread with a different question but on the same topic, it looks like the 2 are converging.
I'm going to search more into LQ answers and the net because I think I may have the wrong basic idea about encryption.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.