RE: encrypting the whole disk / all the data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mr. Warfield:

	Hmm, Very interesting! I Intend to pursue that avenue and see if I can
construct such a thing. I will most likely begin using CD-RWs, but I was
interested in where to get business card CDRs anyway, so I do totally
appreciate the information.




Very Respectfully,

Stuart Blake Tener, IT3, USNR-R, N3GWG
Beverly Hills, California
VTU 1904G (Volunteer Training Unit)
stuart@xxxxxxxxxxx
west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043
east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859

Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's
free!)

JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL.

All commentary made in public email lists, usenet news groups, website
forums, or other such forums, exclusive of email conversations begun outside
of such a forum is (C)(P) Stuart Tener, unless otherwise clearly the work of
another (i.e. quotations of another's email or usenet comments). Such
quotations and any copyrights afforded them are the property of the person
being quoted. Emails and notices published in a public forum are sometimes
presumed to be in the public domain. My comments are copyrighted, I am
choosing to publish them for free, however noticing you that I am desirous
of retaining all other copyright rights as protected under appropriate US
and International copyright law. In the spirit of promoting engineering and
intellectual enrichment, you may quote me absent specific permission as long
as my commentary is quoted in full and its entirety.

Saturday, October 06, 2001 8:05 PM

-----Original Message-----
From: Michael H. Warfield [mailto:mhw@xxxxxxxxxxxx]
Sent: Saturday, October 06, 2001 10:40 AM
To: IT3 Stuart B. Tener, USNR-R
Cc: Hank Leininger; linux-crypto@xxxxxxxxxxxx
Subject: Re: encrypting the whole disk / all the data

On Sat, Oct 06, 2001 at 09:49:32AM -0700, IT3 Stuart B. Tener, USNR-R wrote:
> Mr. Leininger:

>       Now this idea has some merit! How would one make such a CD? For me,
I would
> wish such a CD to have both a patched version of the Kernel as well as
being
> inclusive of loop-aes code. Any ideas what the design specifications for
> such a disc would be?

>       I have never made even an unencrypted bootable CD for Linux, but
would love
> to know how to do so, for purposes of protecting my files and forcing an
> encrypted boot environment.

        There are several such projects including the LNX-BBC (Linux
Bootable
Business Card) project which has several links to several others.  LNX-BBC
is an outgrowth of the LinuxCare Rescue BBC which still exists at LinuxCare.
There is also the Linux-PLAC (Portable Linux Auditing CD).

        http://www.lnx-bbc.org
        http://www.sourceforge.org/projects/cdbased
        http://innominate.org/~pape/rescueCD/
        http://www.knopper.net/knoppix/
        http://open-projects.linuxcare.com/BBC
        http://www.kernel.org/pub/dist/superrescue/
        http://sourceforge.net/projects/plac/

        And that's just a few examples...  All can be readily modified.

        Business Card sized and shaped CD-Rs can be had for about $.50 USD
each in quantities of 100 from a couple of media suppliers.  I bought a
stack of 100 (with sleaves) for $49.00 (plus way too much shipping) a couple
of months ago.  They hold about 50Meg uncompressed.  With the cloop,
compressed loopback file system, most of the BBCs have about 150 Meg of
software on them.

        My preference is to use a combination of one of the above BBCs,
modified for my encryption of choice, and then store the keys on a
smart-card
or Smart-Media card and encrypt the whole damn drive.  Then you have to have
the boot CD plus the Smart-Media card plus any optional password to boot
the system up at all.  SmartCards and Smart-Media cards fit in a wallet
real nice and the BBC's fit in a shirt pocket.

> Very Respectfully,

> Stuart Blake Tener, IT3, USNR-R, N3GWG
> Beverly Hills, California
> VTU 1904G (Volunteer Training Unit)
> stuart@xxxxxxxxxxx
> west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043
> east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859
>
> Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's
> free!)
>
> JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL.
>
> Saturday, October 06, 2001 9:44 AM
>
> -----Original Message-----
> From: owner-linux-crypto@xxxxxxxxxxxx
> [mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Hank Leininger
> Sent: Saturday, October 06, 2001 9:45 AM
> To: linux-crypto@xxxxxxxxxxxx
> Subject: Re: encrypting the whole disk / all the data
>
> On 2001-10-05, Marc Mutz <Marc.Mutz@xxxxxxxxxxxxxxxx> wrote:
>
> > On Friday 05 October 2001 05:07, Antti Koskimäki wrote:
> > > Simple question: How do I guarantee that not a single bit of my
> > > essential data is written non-crypted on my Linux (laptop-)box ?
> [snip]
> > > Then root-filesystem.
>
> > What for? Multiple GB's of almost-known plaintext encrypted under a
> > single key just makes it easier for an attacker. You should only
> > encrypt what's secret. Your /usr surely isn't!
>
> Not speaking for Antti, but I'm concerned not just with "someone could
> steal the hard drive out of my laptop" but also "someone could steal the
> hard drive out of my laptop, trojan some important binaries in any
> non-encrypted partitions I have, then put it back, waiting for me to use
it
> again and leak key material, run privileged tools while the encrypted
> filesystems are mounted, etc, and then steal it again."
>
> To provide at least some protection from that, you need some assurance of
> the integrity of, basically, everything.  Plaintext /boot and encrypted
> everything else still isn't good enough, as the kernel / initrd could be
> swapped out by a malicious party.  So, boot off a write-once CDROM with
> your handwriting on it (and/or which you carry seperate from the
> laptop--the business-card CDs would be good for this) and encrypt
> *everything* on the hard drive.  Wouldn't hurt to also do fscks and md5sum
> checking of system binaries after the hard drive is losetup, too, since
> though they may not be able to do much they can surely scribble over
> things.
>
> --
> Hank Leininger <hlein@xxxxxxxxxxxxxxxxxxxx>
> Then, of course, you're still trusting your BIOS, keyboard, EM
> radiation...

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw@xxxxxxxxxxxx
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/


[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux