encrypted root fs
Russell Coker
russell at coker.com.au
Mon Aug 16 13:40:55 UTC 2004
On Mon, 16 Aug 2004 23:31, Josiah Royse <jroyse at gmail.com> wrote:
> On Mon, 16 Aug 2004 01:03:17 +1000, Russell Coker <russell at coker.com.au>
wrote:
> > The aim of this work is to have a system that boots from removable media
> > and uses encryption for all block devices so that if it is stolen no data
> > will be lost and so someone who gets temporary access to the hardware
> > will have a much more difficult time of trying to crack it.
>
> If the goal is for an encrypted filesystem- why not just have a script
> interface early on in the boot process to prompt for a password for
> the encrypted file system - in order to mount the encrypted ones? Or
I am thinking of making it an option to take a file of random data, a
user-entered password, or an XOR of both of them.
> maybe a boot option grub could pass to the kernel to unencrypt the
> partitions to mount? This is a concept- I know that a boot option
> would be plaintext after the system booted, and you would not want to
> save it in your grub config plaintext either.
I don't think that we will get such things in the kernel. It has to be an
initrd issue.
> In your design would you rely on physical secuity (not to lose the USB
> key), the H.D. being encrypted, and UNIX security of the password- or
> is there a pin/password similar to smart card and pin involved during
> boot(multi factor authentication)?
A smart card can be lost just as easily as a USB key. The advantage of a
smart card is that someone can't steal the contents without stealing the card
(copying a USB key is easy if someone can get access for 20 seconds).
Once I get this basically working I'll probably investigate using a
smart-card. I have had a GPG smart card for almost a year, as soon as I
obtain a card reader I'll get it going.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-devel-list
mailing list