Perhaps I phrased the question incorrectly, and should have rather tried to explain my problem to see if there is a better solution available. My goal is to create a fully self-contained Linux system on a flash disk that can be distributed. However, I don't want someone to be able to copy the flash disk onto another medium. Which is why I turned to encryption as a possible solution. I've got specific needs and reasons to want to accomplish this, so I'm hoping no one starts to debate the issue of distributing an encrypted Linux system. The question, however, is how can I accomplish this? The system is a self-contained, automated black box, which requires no user access. Any access the user needs will be done over a TTYS for specific configuration issues. That way, I can completely disable login shells and any other such access to the machine. How do I prevent someone from putting the flash card into another installation of Linux and copying it off though? I'm not worried about the machine being stolen. I'm more concerned with someone copying the info off the drive. Since this is an autonomous machine, there is no login prompts, or any other ways that a user can actually get to a prompt. (the only reason I even keep the shell is to run some scripts...). My concern is that someone is able to through this disk into another machine and get to all my stuff.... I was considering that using the MAC address but then that would require building each disk for each computer independently.... Any thoughts? Thanks! Eric ----- Original Message ----- From: "Dale Amon" <amon@vnl.com> Newsgroups: nlo.lists.linux-crypto Sent: Saturday, May 04, 2002 5:46 AM Subject: Re: Encrypting root partition > On Sat, May 04, 2002 at 12:52:58AM -0400, Eric wrote: > > Am I missing something here? Is there any way to securely encrypt the root > > partition? > > I think you are missing something. If a machine can boot autonomously, > then there is no password or a password available in plaintext. Therefore > if the machine is stolen, all pieces are available. > > The only angle I can think of is a boot rom tied to the normal > boot process that does a secure public key exchange over the > local ethernet. That moves the problem one level back, to a > local key server. > > That's a bit of a tall order to impliment, but it would probably > work, so long as you knew the machine was stolen and were able > to block any further key exchange. > > - > Linux-crypto: cryptography in and on the Linux system > Archive: http://mail.nl.linux.org/linux-crypto/ > - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
