If I understand you correctly:
1) you need to store the password on some media readable by the computer because the machine may need to reboot without user intervention -- you want it to start up without typing a password.
2) you are concerned about people with physical access to the computer.
This is a reasonable collection of concerns for a co-located server (for example). But it is particularly difficult to solve.
Generally, a way to solve the "no user intervention" issue is to write the password on some media, called an access token. You could use a CD, USB drive, or a smart card.
The problem is that you will need to keep the token inserted into the computer, defeating any security advantage, I think.
The only way I can think of is for you to use an init RAM disk to acquire the token (password) from another computer, via a network connection. Then if the computer is ever stolen, you can disable this token (remotely, if need be).
This remote-token approach is at least as difficult as encrypted-root, which I think you will need anyway.
Consider using an NFS-boot ramdisk to get started.
best of luck,
-- boyd
kgb wrote:
I understand but is that mean lets say when someone steal my computer and he can viewed all my data config files hm how can prevent this ? and if i can't is there have a way to encrypt only some config files with symlinks to /etc on encrypted loop device but in this way i must wrote my crypto password somewhere because i'm not able to type password everytime when server boot and ask for password to mount encrypted loop device and if i wrote it somewhere on hard drive this is insecure and for users i don't have users :) the big problem is when someone steal server what happen can i prevent this person from mount, view my hard drive ?
- Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
