encrypted root fs

[Russell Coker]

On Mon, 16 Aug 2004 12:54, "W. Michael Petullo" <mike at flyn.org> wrote:
> I have a patch here locally (not yet in bugzilla) that works with mkinitrd
> 4.0.5 and the new initramfs code.  I am working towards allowing folks
> to unlock their root disk using a USB-device-hosted key, passphrase or
> hexified key.

I don't think that a USB hosted key is worth doing.  If you have only the key 
on the USB device then someone who gains temporary access to your machine can 
replace the kernel and/or initrd to compromise the machine later.  If you are 
using USB then I think it's best to boot from USB and read no unencrypted 
data from the disk apart from the partition table.

It seems that all new hardware supports booting from USB and it seems 
impossible to purchase a USB device smaller than 32M.  So there's no reason 
not to just boot from USB (IMHO).

> In order for this all to be taken seriously I think anaconda needs to be
> modified to create an encrypted root at install time.  The anaconda folks
> have balked at additions in the past because the partition interface is
> already quite complicated.  So a clever and simple interface would
> be necessary.

We can't expect anyone to do anything for anaconda until after mkinitrd etc 
have already got support.  The anaconda work may be the hardest part of this 
and we can't expect them to do the hard work before we do the easy work!

Converting an installation that has an unencrypted root fs to have an 
encrypted root fs is not particularly difficult once the mkinitrd issues are 
solved.  You just have to boot in single-user mode, create a new LV, run 
cryptsetup, and then use dd to copy the data across.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page