hi, i would like to encrypt root partition the way that it would only open in my onlyone laptop,
and without asking a password. with example md5 hash from macs or public key, and if someone takes my hd, so it wouldn't open at all. and i dont want to put any password question on boot.
So is it possible?

I don't know of a specific mechanism.

Thinking through through the logic of what you want, you would need to hold the "secret" (e.g. public key, hash) somewhere that was physically on your laptop but not on the hard drive.

The only way I can think of doing it is to have a mini-distro on a diskette or USB flash key. Then you could boot off that and use it to bootstrap your main disk.

so there is no way to use example some bootup script before root mount to detect the key and mount the root with that one?

What extra security would that give you? How would it make it harder for an attacker to get access to your computer?

well, it's a long story, but in short, the machine will be on other peoples hands and i dont want that they take the hd and mount it some other machine and read my secret stuff.

OK, but I think you're missing my point.

If you have a key on the hard drive, and it isn't password protected, that key will still be there whoever boots up the computer. If someone else has it, what stops them mounting your encrypted partition? If they've got the disk, they've got the key and since there's no password, what can you do?

For this to work, you need to protect the key so no-one else can get it. That means either using a password or having it physically separate from the computer so you can give someone else the computer and keep the key.

If you want to avoid someone reading your secret stuff, why not just encrypt your files; or have an encrypted partition? They would need a password or pass-phrase to decrypt but it is easy and safe.

Dunno if it will help, but this is where I would look for the answer:

Google's HOWTO encrypted root fs + swap fs

You would need, of course, somewhere where the key is stored. Like an usb dongle or something.

so it seems that it's not possible to do a system with one encrypted fs the way it would boot only in one machine,without asking a password.. maybe i then need do that bootup partition and a script there to detect hardware example and then automount the other encrypted system if hardware is correct, example.

It is possible, just totally insecure and since security is what you are trying to achieve...

That is an option; but how will you stop an attacker from editing your script so it allows boot-up on their hardware?

What it comes down to is that you need a key to unlock the encrypted disk. What you are doing is like locking your front door with a key, then leaving the key under the mat, just hoping that no burglar notices.

A key needs to have one (or more) of three properties :
- something you know (and keep secret) such as a password
- something you have (and no one else has) such as a smart card
- something you are (and no-one else is) like your fingerprint or retina

The keys you are proposing are something you have - a file on your computer. The problem is that the key, along with any script, must be unencrypted so anyone who has the hard drive will also have them, so they fail as a good key.

well, if the first is possible then how to execute example c-script to do it before root is mounted?
that is the next big question.. becouse i dont want to enter that password by hand,and i want it to be bootable only in my machine.

But it won't do what you want : it won't stop someone booting your disk from different hardware by editing the script, so why do it?

you all are missing a point here...... besides the absolute stupidity of having a boot script do it for you, how the hell would you run it if your rootfs is encrypted?

a good way to do it is to store the key (or the script) on a floppy..... but for even more security you do that hardware checking thing, and then burn it to a read only cd, and have it detect a serial or something on the cd...

an even better alternative is to burn all your secret stuff to a cd (or zip disk, tape drive, blah blah......) and delete it frome your hard drive using shred(1) or some other thing that accomplishes the same thing....

the point of this is simple. my laptop goes to other company in use, with normal use for a while. i have there root owned stuff i dont want them ever to see, so i can't give them the key. and i cant give them also an option to mount the hd and then read them, and in this situation my point is clear, like i told in my first post. there is no cdrom nor floppy in my laptop also(dell x300). And that is exactly the problem, how to run that script or something,without seperated boot partition that mounts the encrypted. some say it is possible, some say it's not.

i have there root owned stuff i dont want them ever to see
If it shouldn't leave the firm, encrypt it and put it on network storage. Otherwise move stuff, put it on a separate encrypted partition. If it's a few files, tar 'em up, then GPG encrypt. If that doesn't do it you better give clear examples why not. The way you keep looking at this single "solution" to your problem, that's not gonna work. Like all the other ppl told you.