Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi, i would like to encrypt root partition the way that it would only open in my onlyone laptop,
and without asking a password. with example md5 hash from macs or public key, and if someone takes my hd, so it wouldn't open at all. and i dont want to put any password question on boot.
So is it possible?
Thinking through through the logic of what you want, you would need to hold the "secret" (e.g. public key, hash) somewhere that was physically on your laptop but not on the hard drive.
The only way I can think of doing it is to have a mini-distro on a diskette or USB flash key. Then you could boot off that and use it to bootstrap your main disk.
Originally posted by joulupukki so there is no way to use example some bootup script before root mount to detect the key and mount the root with that one?
What extra security would that give you? How would it make it harder for an attacker to get access to your computer?
well, it's a long story, but in short, the machine will be on other peoples hands and i dont want that they take the hd and mount it some other machine and read my secret stuff.
If you have a key on the hard drive, and it isn't password protected, that key will still be there whoever boots up the computer. If someone else has it, what stops them mounting your encrypted partition? If they've got the disk, they've got the key and since there's no password, what can you do?
For this to work, you need to protect the key so no-one else can get it. That means either using a password or having it physically separate from the computer so you can give someone else the computer and keep the key.
If you want to avoid someone reading your secret stuff, why not just encrypt your files; or have an encrypted partition? They would need a password or pass-phrase to decrypt but it is easy and safe.
so it seems that it's not possible to do a system with one encrypted fs the way it would boot only in one machine,without asking a password.. maybe i then need do that bootup partition and a script there to detect hardware example and then automount the other encrypted system if hardware is correct, example.
Originally posted by joulupukki so it seems that it's not possible to do a system with one encrypted fs the way it would boot only in one machine,without asking a password..
It is possible, just totally insecure and since security is what you are trying to achieve...
Quote:
maybe i then need do that bootup partition and a script there to detect hardware example and then automount the other encrypted system if hardware is correct, example.
That is an option; but how will you stop an attacker from editing your script so it allows boot-up on their hardware?
What it comes down to is that you need a key to unlock the encrypted disk. What you are doing is like locking your front door with a key, then leaving the key under the mat, just hoping that no burglar notices.
A key needs to have one (or more) of three properties :
- something you know (and keep secret) such as a password
- something you have (and no one else has) such as a smart card
- something you are (and no-one else is) like your fingerprint or retina
The keys you are proposing are something you have - a file on your computer. The problem is that the key, along with any script, must be unencrypted so anyone who has the hard drive will also have them, so they fail as a good key.
well, if the first is possible then how to execute example c-script to do it before root is mounted?
that is the next big question.. becouse i dont want to enter that password by hand,and i want it to be bootable only in my machine.
Originally posted by joulupukki well, if the first is possible then how to execute example c-script to do it before root is mounted?
that is the next big question.. becouse i dont want to enter that password by hand,and i want it to be bootable only in my machine.
But it won't do what you want : it won't stop someone booting your disk from different hardware by editing the script, so why do it?
Distribution: Slackware 10.0|Damn Small Linux|NetBSD|Debian
Posts: 46
Rep:
you all are missing a point here...... besides the absolute stupidity of having a boot script do it for you, how the hell would you run it if your rootfs is encrypted?
a good way to do it is to store the key (or the script) on a floppy..... but for even more security you do that hardware checking thing, and then burn it to a read only cd, and have it detect a serial or something on the cd...
an even better alternative is to burn all your secret stuff to a cd (or zip disk, tape drive, blah blah......) and delete it frome your hard drive using shred(1) or some other thing that accomplishes the same thing....
the point of this is simple. my laptop goes to other company in use, with normal use for a while. i have there root owned stuff i dont want them ever to see, so i can't give them the key. and i cant give them also an option to mount the hd and then read them, and in this situation my point is clear, like i told in my first post. there is no cdrom nor floppy in my laptop also(dell x300). And that is exactly the problem, how to run that script or something,without seperated boot partition that mounts the encrypted. some say it is possible, some say it's not.
i have there root owned stuff i dont want them ever to see
If it shouldn't leave the firm, encrypt it and put it on network storage. Otherwise move stuff, put it on a separate encrypted partition. If it's a few files, tar 'em up, then GPG encrypt. If that doesn't do it you better give clear examples why not. The way you keep looking at this single "solution" to your problem, that's not gonna work. Like all the other ppl told you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.