I understand but is that mean lets say when someone steal my computer and he can viewed all my data config files hm how can prevent this ? and if i can't is there have a way to encrypt only some config files with symlinks to /etc on encrypted loop device but in this way i must wrote my crypto password somewhere because i'm not able to type password everytime when server boot and ask for password to mount encrypted loop device and if i wrote it somewhere on hard drive this is insecure and for users i don't have users :) the big problem is when someone steal server what happen can i prevent this person from mount, view my hard drive ? On Sat, 2003-07-19 at 23:53, Rob McGee wrote: > On Sat, Jul 19, 2003 at 11:29:35PM +0300, kgb wrote: > > > > Which is best way to encrypt /etc directory i want to prevent my /etc > > > > files from being viewed by other people and when someone trying to mount > > Your untrusted users should perhaps be chroot'ed. *Or* don't give out > shell accounts to untrustworthy users. :) > > > > I got my root-filesystem on cryptoloop, so my /etc is encrypted. I use > > > an initrd during boot to set this up. > > > in this way is good but password is stored on hard drive and that seems very unsecure way > > You never want to have your crypto passwords written to disk! > > > but i don't want to encrypt root-filesystem only /etc directory any ideas ? > > /etc *must* be on the root filesystem. Many files in /etc are used as > the system boots. fstab, for example (one of the ones you seem to feel > insecure about?) is read. inittab is the map of the whole process. > > Some /etc files could be symbolic links to files elsewhere (such as an > encrypted filesystem.) You would need to understand the init process to > determine which ones. Other /etc files (passwd and various system-wide > configuration files for user software) must be readable by all users. > > I think once you gain an understanding of what's needed, you will no > longer want to do this. I remember seeing a chroot HOWTO once. You might > also be interested in access control mechanisms such as grsecurity. And > the Filesystem Hierarchy Standard ( http://www.pathname.com/fhs/ ) can > help to explain why /etc can't be separate from the / filesystem. > > Rob - /dev/rob0 > - > Linux-crypto: cryptography in and on the Linux system > Archive: http://mail.nl.linux.org/linux-crypto/ -- Feci quod potui, faciant meliora potentes!
Attachment:
signature.asc
Description: This is a digitally signed message part
