Re: Stupid Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Those are valid points. The way I was thinking about implementing it
was by having the script create a hash of sorts that is used as a
keyfile. This could be backed up on USB in case of hardware failure,
as you noted, however would serve the purpose if only the hard drive
was stolen.
Of course, you are right about a thief stealing the whole computer,
but that wasn't Valerio's original requisite... This seems like a
niche usage, but this could be a sneaky way to prevent the hard drive
from being removed, especially in conjunction with a normal
passphrase. I especially like the CPU unique ID for this purpose.

On Thu, Jan 22, 2009 at 12:15 PM, Stefan X <stefanxe@xxxxxxx> wrote:
> Matt Rosales schrieb:
>>  I am looking into the possibility of having an Ubuntu 8.04
>>>> installation with an encrypted filesystem.  As it is supported out
>>>> of the box I managed to get it up and running in no time. However
>>>> what I would really need is the system to boot without prompting for
>>>> a passphrase. I just want to prevent someone from unplugging the
>>>> hard disk and mounting it on another machine. So far I have seen
>>>> that this can be done with a USB Key with a key file however I do
>>>> not want to use a USB Key.
>>
>> You know, I was thinking about a similar thing the other day; perhaps
>> using the reported model number or some other sort of identifying
>> information from your USB keyboard or mouse. It may not be unique, but
>> the combination of the USB devices attached to your computer could
>> potentially make a moderate 'keyfile' replacement, no?
>
> Problematic if a) you want to replace a device or a device quits service
> and b) if the thief takes the whole computer together with the hard
> drive. Probably Joe Average could execute this even easier than removing
> the harddrive.
>
> AFAIK at least Intel CPUs have an unique ID which could be used for your
> purpose. Also this does not prevent against b) it may be more consistent
> than your USB device combinations. Keep in mind that you may run into
> trouble if your CPU becomes defect which should occur seldom.
>
>> Maybe a hack would be having initramfs run a small program that makes
>> a hash based on connected devices, and then saving that as a keyfile
>> in memory that is read by cryptsetup. If you have the wrong devices
>> connected, the keyfile won't match, and the system won't be unlocked.
>> What do you think about that? Possible? Or just silly? It could be
>> used in combination with a password to prevent the drive being put
>> into a different computer and the password bruted, especially since
>> the hash would only be generated at boot, and thus wouldn't be present
>> if an attacker was attempting to mount a filesystem from within
>> another already-booted OS.
>>
>> Just pondering.
>>
>> --
>> GPG Key ID: 113828CC
>>
>>
>> On Thu, Jan 22, 2009 at 12:43 AM, Teddy Hogeborn
>> <teddy+dm-crypt@xxxxxxxxxxxxx> wrote:
>> Valerio Paris Mitritsakis <valerio@xxxxxxxxxxxxxx> writes:
>>
>>>>> I am looking into the possibility of having an Ubuntu 8.04
>>>>> installation with an encrypted filesystem.  As it is supported out
>>>>> of the box I managed to get it up and running in no time. However
>>>>> what I would really need is the system to boot without prompting for
>>>>> a passphrase. I just want to prevent someone from unplugging the
>>>>> hard disk and mounting it on another machine. So far I have seen
>>>>> that this can be done with a USB Key with a key file however I do
>>>>> not want to use a USB Key.
>>>>>
>>>>> Is there any other way?
>> There are two ways to do this.  The first way is to store the password
>> in a file.  This method, however, has drawbacks, as you point out:
>>
>>>>> I know that this would compromise security and probably kind of beat
>>>>> the purpose for what I would use LUKS however I want to prevent Joe
>>>>> Average and not Joe Hacker from reading my disk.
>> The other method, if you run Ubuntu or Debian, is to use the Mandos
>> system, which requests a password from a server on the local ethernet
>> network.  It's all encrypted in all sorts of ways; see the FAQ in the
>> latest README file for details:
>> http://bzr.fukt.bsnet.se/loggerhead/mandos/trunk/annotate/head:/README
>>
>> The Mandos packages for Debian and Ubuntu are named "mandos-client"
>> and "mandos", and are available in Debian unstable right now, and also
>> - From the project home page, which also has documentation, etc:
>>
>> http://www.fukt.bsnet.se/mandos
>>
>> /Teddy Hogeborn, Mandos Developer
>>
>>>
> ---------------------------------------------------------------------
> dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
> To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
> For additional commands, e-mail: dm-crypt-help@xxxxxxxx
>>>
>>>
>
>> ---------------------------------------------------------------------
>> dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
>> To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
>> For additional commands, e-mail: dm-crypt-help@xxxxxxxx
>
>
> ---------------------------------------------------------------------
> dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
> To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
> For additional commands, e-mail: dm-crypt-help@xxxxxxxx
>
>



-- 
matt@xxxxxxxxxxxxxxx
GPG Key ID: 113828CC

---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx


[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux