On Sat, Jul 19, 2003 at 11:29:35PM +0300, kgb wrote: > > > Which is best way to encrypt /etc directory i want to prevent my /etc > > > files from being viewed by other people and when someone trying to mount Your untrusted users should perhaps be chroot'ed. *Or* don't give out shell accounts to untrustworthy users. :) > > I got my root-filesystem on cryptoloop, so my /etc is encrypted. I use > > an initrd during boot to set this up. > in this way is good but password is stored on hard drive and that seems very unsecure way You never want to have your crypto passwords written to disk! > but i don't want to encrypt root-filesystem only /etc directory any ideas ? /etc *must* be on the root filesystem. Many files in /etc are used as the system boots. fstab, for example (one of the ones you seem to feel insecure about?) is read. inittab is the map of the whole process. Some /etc files could be symbolic links to files elsewhere (such as an encrypted filesystem.) You would need to understand the init process to determine which ones. Other /etc files (passwd and various system-wide configuration files for user software) must be readable by all users. I think once you gain an understanding of what's needed, you will no longer want to do this. I remember seeing a chroot HOWTO once. You might also be interested in access control mechanisms such as grsecurity. And the Filesystem Hierarchy Standard ( http://www.pathname.com/fhs/ ) can help to explain why /etc can't be separate from the / filesystem. Rob - /dev/rob0 - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
