I am looking into the possibility of having an Ubuntu 8.04 >> installation with an encrypted filesystem. As it is supported out >> of the box I managed to get it up and running in no time. However >> what I would really need is the system to boot without prompting for >> a passphrase. I just want to prevent someone from unplugging the >> hard disk and mounting it on another machine. So far I have seen >> that this can be done with a USB Key with a key file however I do >> not want to use a USB Key. You know, I was thinking about a similar thing the other day; perhaps using the reported model number or some other sort of identifying information from your USB keyboard or mouse. It may not be unique, but the combination of the USB devices attached to your computer could potentially make a moderate 'keyfile' replacement, no? Maybe a hack would be having initramfs run a small program that makes a hash based on connected devices, and then saving that as a keyfile in memory that is read by cryptsetup. If you have the wrong devices connected, the keyfile won't match, and the system won't be unlocked. What do you think about that? Possible? Or just silly? It could be used in combination with a password to prevent the drive being put into a different computer and the password bruted, especially since the hash would only be generated at boot, and thus wouldn't be present if an attacker was attempting to mount a filesystem from within another already-booted OS. Just pondering. -- GPG Key ID: 113828CC On Thu, Jan 22, 2009 at 12:43 AM, Teddy Hogeborn <teddy+dm-crypt@xxxxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Valerio Paris Mitritsakis <valerio@xxxxxxxxxxxxxx> writes: > >> I am looking into the possibility of having an Ubuntu 8.04 >> installation with an encrypted filesystem. As it is supported out >> of the box I managed to get it up and running in no time. However >> what I would really need is the system to boot without prompting for >> a passphrase. I just want to prevent someone from unplugging the >> hard disk and mounting it on another machine. So far I have seen >> that this can be done with a USB Key with a key file however I do >> not want to use a USB Key. >> >> Is there any other way? > > There are two ways to do this. The first way is to store the password > in a file. This method, however, has drawbacks, as you point out: > >> I know that this would compromise security and probably kind of beat >> the purpose for what I would use LUKS however I want to prevent Joe >> Average and not Joe Hacker from reading my disk. > > The other method, if you run Ubuntu or Debian, is to use the Mandos > system, which requests a password from a server on the local ethernet > network. It's all encrypted in all sorts of ways; see the FAQ in the > latest README file for details: > http://bzr.fukt.bsnet.se/loggerhead/mandos/trunk/annotate/head:/README > > The Mandos packages for Debian and Ubuntu are named "mandos-client" > and "mandos", and are available in Debian unstable right now, and also > - From the project home page, which also has documentation, etc: > > http://www.fukt.bsnet.se/mandos > > /Teddy Hogeborn, Mandos Developer > > - -- > The Mandos Project > http://www.fukt.bsnet.se/mandos > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJd8EzOWBmT5XqI90RAgaSAJ4j6ymPSLYwYIYfiHvRcdHaJ+dBJgCfdvr3 > KNXapVGEQzgt1VnQaIiJQRA= > =siJU > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ > To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx > For additional commands, e-mail: dm-crypt-help@xxxxxxxx > > --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
