On Thu, Jan 22, 2009 at 05:37:34PM +0200, Valerio Paris Mitritsakis wrote: > Dear Arno, > > this is supposed to be a Headless Linux box so the option to have > someone typing a password/passphrase is not an option. > Also I want to encrypt the filesystem so as data is not copied from > the box. Consider it as a device/appliance that will be leased > to customers. I do not worry about it being stolen, I just want to > prevent the casual Linux user from opening the box and copying > the contents to another computer. If someone steals the box he would > need to login to it anyway so if he manages to bypass > authentication etc. etc. he can keep the loot :p Aha. So the approach to tie the disk to the hardware would actually work. Hmm. For a short passphrase you could have the set-up script use the MAC of the NIC, e.g. like this: ifconfig | grep eth0 | cryptsetup --key-file - to generate the passphrase. Keep a backup of the input data for manual access. If you want more data to go inte the passphrase, chain themm e.g. like this: (ifconfig | grep eth0; cat /proc/cpuinfo | grep -v bogomips| grep -v MHz) and take care to filter out stuff that is measured at boot time and may change (here speed and bogo-mips). You can also query BIOS and CPU via the tool dmidecode. How how to do this? One approach is to manipulate the initial ramdisk and do the encryption there. Far easier would be to have the system partition (or part of it) unencrypted and then use one of the boot-scripts in /etc/init.d to set up an encrypted partition in addition with your own script. These scripts are called in numeric order via symlinks from /etc/rc2.d. You can do your own set-up basically before most things happen. Everything critical would go into your own partition, so that a thief could still steal most of the distribution, but nothing of your special stuff. User accounts can go compeletely into the encrypted partition. It may be possible to shift most things besides /etc, /sbin, /bin, /lib and maybe /var and /usr/sbin into the encrypted partition as well. If you need specific executables on the non-encrypted partition, you can copy them over. Dynamic library dependencies are displayed with ldd <executable> Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
