Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm using DMcrypt to secure the hard drive, but the boot sector can't be encrypted, as this will not let me boot. What is the most secure way to boot into RedHat? I don't want anyone to be able to use single-user to bypass any security settings. My goal is to use open source so data on a system that is not accessible by unauthorized folks, even if they are physically at the machine or remove the hard drive.
I'm using DMcrypt to secure the hard drive, but the boot sector can't be encrypted, as this will not let me boot. What is the most secure way to boot into RedHat? I don't want anyone to be able to use single-user to bypass any security settings. My goal is to use open source so data on a system that is not accessible by unauthorized folks, even if they are physically at the machine or remove the hard drive.
Separate the boot process from the hard disk (boot from removable media instead).
It's the only way you can have your entire hard disk encrypted (unless you have some fancy BIOS).
You can get an idea of what this involves by reading this article.
I'm using DMcrypt to secure the hard drive, but the boot sector can't be encrypted, as this will not let me boot. What is the most secure way to boot into RedHat? I don't want anyone to be able to use single-user to bypass any security settings. My goal is to use open source so data on a system that is not accessible by unauthorized folks, even if they are physically at the machine or remove the hard drive.
Thanks!
Take a look at TrueCrypt (http://www.truecrypt.org). It lets you encrypt the entire disk, including boot. Very solid, and great encryption and speed.
Take a look at TrueCrypt (http://www.truecrypt.org). It lets you encrypt the entire disk, including boot. Very solid, and great encryption and speed.
If you use TrueCrypt and boot from the hard drive itself, the TrueCrypt boot loader isn't encrypted, and it can be tampered with and used to steal the key from you. Regardless of which encryption solution you use, you're still gonna need to boot from separate media if you really want your whole drive to be encrypted. With whole disk encryption, you really shouldn't even have a /boot at all on the hard drive (or a boot loader, for that matter).
Thanks for the feedback! I'm also going to try a 3rd party hard drive that has full encryption via an embedded chip. I haven't been able to find a way to really lock down a system from someone who has physical access to it... This is quite a challenge.
Thanks for the feedback! I'm also going to try a 3rd party hard drive that has full encryption via an embedded chip. I haven't been able to find a way to really lock down a system from someone who has physical access to it... This is quite a challenge.
Indeed it is. Even with proprietary software like Pointsec, an administrator (with the right codes/phone #'s), can gain access to a resource. The best you can hope for is to lessen the risk...thin-client machines worked well for alot of our needs here, and we can provide Linux/Windows desktops, without USB/optical devices everywhere. A 'real' computer is more difficult. We've used a combination of stuff here, with good success, but it's never perfect.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.