On Mon, 16 Aug 2004 23:31, Josiah Royse <jroyse@xxxxxxxxx> wrote: > On Mon, 16 Aug 2004 01:03:17 +1000, Russell Coker <russell@xxxxxxxxxxxx> wrote: > > The aim of this work is to have a system that boots from removable media > > and uses encryption for all block devices so that if it is stolen no data > > will be lost and so someone who gets temporary access to the hardware > > will have a much more difficult time of trying to crack it. > > If the goal is for an encrypted filesystem- why not just have a script > interface early on in the boot process to prompt for a password for > the encrypted file system - in order to mount the encrypted ones? Or I am thinking of making it an option to take a file of random data, a user-entered password, or an XOR of both of them. > maybe a boot option grub could pass to the kernel to unencrypt the > partitions to mount? This is a concept- I know that a boot option > would be plaintext after the system booted, and you would not want to > save it in your grub config plaintext either. I don't think that we will get such things in the kernel. It has to be an initrd issue. > In your design would you rely on physical secuity (not to lose the USB > key), the H.D. being encrypted, and UNIX security of the password- or > is there a pin/password similar to smart card and pin involved during > boot(multi factor authentication)? A smart card can be lost just as easily as a USB key. The advantage of a smart card is that someone can't steal the contents without stealing the card (copying a USB key is easy if someone can get access for 20 seconds). Once I get this basically working I'll probably investigate using a smart-card. I have had a GPG smart card for almost a year, as soon as I obtain a card reader I'll get it going. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
