Dear Arno,
this is supposed to be a Headless Linux box so the option to have
someone typing a password/passphrase is not an option.
Also I want to encrypt the filesystem so as data is not copied from
the box. Consider it as a device/appliance that will be leased
to customers. I do not worry about it being stolen, I just want to
prevent the casual Linux user from opening the box and copying
the contents to another computer. If someone steals the box he would
need to login to it anyway so if he manages to bypass
authentication etc. etc. he can keep the loot :p
Thank you for your help,
Valerio
Μητριτσάκης Βαλέριο Πάρις
Σύμβουλος Πληροφορικής
Ηλεκτρονικός Μηχανικός Τ.Ε.
MSc Network Systems
MCP ID: 5745185
Mitritsakis Valerio Paris
IT Consultant
Electronic Engineer
MSc Network Systems
MCP ID: 5745185
-----------------------------------------------------------------------------------------------------------------
Συμβουλευτικές Υπηρεσίες
Πληροφορικής - Τεχνική υποστήριξη Η/Υ &
Δικτύων
IT Consultancy Services Computer & Network Tech Support
http://www.mitritsakis.gr
-----------------------------------------------------------------------------------------------------------------
On Jan 22, 2009, at 4:40 PM, Arno Wagner wrote:
On Wed, Jan 21, 2009 at 11:47:41PM +0200, Valerio Paris Mitritsakis
wrote:
Dear all,
I am looking into the possibility of having an Ubuntu 8.04
installation with an encrypted filesystem.
As it is supported out of the box I managed to get it up and running
in no time. However what I would
really need is the system to boot without prompting for a passphrase.
I just want to prevent someone
from unplugging the hard disk and mounting it on another machine. So
far I have seen that this can
be done with a USB Key with a key file however I do not want to use a
USB Key.
Is there any other way?
Not really.
I know that this would compromise security and
probably kind of beat the purpose
for what I would use LUKS however I want to prevent Joe Average and
not Joe Hacker from reading my disk.
One problem you have is that somebody that can steal your HDD can also
steal the complete box. So the things you can do is Token (e.g. USB
key), which you do not want, and local network environment.
The latter choice can be done in numorus fashions. For example
you can use a Linux fileserver that has the encryopted partition
and only exports it locally. You could pull the passphrase from
a server via an ssh-login (requires ssh and ssh-keys in the
ramdisk image). You could use a hash of some network NICs as
passphrase by doing ARP requests. All of these olutions have
the problem that their security level is pretty bad.
Maybe you can do a compromise: Replace the login binary and
use the password as passphrase fpr the encryption as well.
Then mount the encrypted partition only on login. Somebody
migh already have implemented this.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50
1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
