Matt Rosales schrieb: > I am looking into the possibility of having an Ubuntu 8.04 >>> installation with an encrypted filesystem. As it is supported out >>> of the box I managed to get it up and running in no time. However >>> what I would really need is the system to boot without prompting for >>> a passphrase. I just want to prevent someone from unplugging the >>> hard disk and mounting it on another machine. So far I have seen >>> that this can be done with a USB Key with a key file however I do >>> not want to use a USB Key. > > You know, I was thinking about a similar thing the other day; perhaps > using the reported model number or some other sort of identifying > information from your USB keyboard or mouse. It may not be unique, but > the combination of the USB devices attached to your computer could > potentially make a moderate 'keyfile' replacement, no? Problematic if a) you want to replace a device or a device quits service and b) if the thief takes the whole computer together with the hard drive. Probably Joe Average could execute this even easier than removing the harddrive. AFAIK at least Intel CPUs have an unique ID which could be used for your purpose. Also this does not prevent against b) it may be more consistent than your USB device combinations. Keep in mind that you may run into trouble if your CPU becomes defect which should occur seldom. > Maybe a hack would be having initramfs run a small program that makes > a hash based on connected devices, and then saving that as a keyfile > in memory that is read by cryptsetup. If you have the wrong devices > connected, the keyfile won't match, and the system won't be unlocked. > What do you think about that? Possible? Or just silly? It could be > used in combination with a password to prevent the drive being put > into a different computer and the password bruted, especially since > the hash would only be generated at boot, and thus wouldn't be present > if an attacker was attempting to mount a filesystem from within > another already-booted OS. > > Just pondering. > > -- > GPG Key ID: 113828CC > > > On Thu, Jan 22, 2009 at 12:43 AM, Teddy Hogeborn > <teddy+dm-crypt@xxxxxxxxxxxxx> wrote: > Valerio Paris Mitritsakis <valerio@xxxxxxxxxxxxxx> writes: > >>>> I am looking into the possibility of having an Ubuntu 8.04 >>>> installation with an encrypted filesystem. As it is supported out >>>> of the box I managed to get it up and running in no time. However >>>> what I would really need is the system to boot without prompting for >>>> a passphrase. I just want to prevent someone from unplugging the >>>> hard disk and mounting it on another machine. So far I have seen >>>> that this can be done with a USB Key with a key file however I do >>>> not want to use a USB Key. >>>> >>>> Is there any other way? > There are two ways to do this. The first way is to store the password > in a file. This method, however, has drawbacks, as you point out: > >>>> I know that this would compromise security and probably kind of beat >>>> the purpose for what I would use LUKS however I want to prevent Joe >>>> Average and not Joe Hacker from reading my disk. > The other method, if you run Ubuntu or Debian, is to use the Mandos > system, which requests a password from a server on the local ethernet > network. It's all encrypted in all sorts of ways; see the FAQ in the > latest README file for details: > http://bzr.fukt.bsnet.se/loggerhead/mandos/trunk/annotate/head:/README > > The Mandos packages for Debian and Ubuntu are named "mandos-client" > and "mandos", and are available in Debian unstable right now, and also > - From the project home page, which also has documentation, etc: > > http://www.fukt.bsnet.se/mandos > > /Teddy Hogeborn, Mandos Developer > >> --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx >> >> > --------------------------------------------------------------------- > dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ > To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx > For additional commands, e-mail: dm-crypt-help@xxxxxxxx --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
