Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I have HP Microserver with one HDD. I was installed last Debian. I'm using LVM with ecryptfs. Every time when is PC booting, i must type password. It is posible (and how) using USB flash where is save private key and when is PC booting and USB flash is connect, PC is automatically starting?
You have run into one of the core problems with whole HDD encryption, booting. In order to boot, the file system needs to be decrypted. The decryption key is password protected and to do otherwise would be both foolish and would defeat the purpose of encrypting the drive. I know of no way to put your password / key on a USB stick and use that to start up, and again - you run the real risk of defeating the purpose of encryption. My initial response would be to suggest that you reconsider your approach and ask why you are encrypting the WHOLE HDD? What I am getting at is do you really care if directories like /bin, which contain system binaries that are exact duplicates of widely distributed software is encrypted or are you more concerned with your personal files located in your user's home directory. If you encrypt your home directory, it can be decrypted and mounted automatically when you log in, but the system can boot an other users (if any) can still access the system.
Edit: This subject has come up several times over the last year or so. A search of the security forum will provide you with a lot of information for research on the subject.
While I use LUKS without LVM it is entirely possible to set up HDD encryption to require a keyfile when booting, and to store said keyfile on a USB stick, so that boot is not possible without it plugged in. It is not complicated but does take some time and effort to implement. There are numerous HOW-TO's around the net.
The simplest approach is that mentioned by realbluntz and having your boot files and keyfile on the USB derive and booting from it.
A look through the security sub-forum, as suggested by Noway2 should yield plenty of reading material.
Why encrypt an entire drive? Because there are often bits and pieces of data stored elsewhere that can provide clues to an intruder. Some of us also don't believe in giving any advantage to a thief at all. Most drive encryption for a home user is more to protect information in case the drive is stolen than any other reason. Other reasons include work, political activity, social activism, etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.