Encrypt

Michael Hart mixstat at bigpond.net.au
Wed Sep 22 01:01:09 UTC 2004 

Alexander Dalloz wrote:
> Am Mo, den 20.09.2004 schrieb Dalibor Malek um 0:39:
> 
> 
>>Is it possible to somehow encrypt the whole hard disk in a manner that
>>the whole system, copying(from my scripts) and so on have full access,
>>but if someone wants to connect to the machine this is not granted
>>except he knows the right password(I know this is already done with
>>ssh1), but also if some one opens a terminal he muss give in the
>>password to access all files.
> 
> 
> I do not understand this part of your posting. Besides ssh1 is obsolete
> and you should always use ssh protocol 2, Linux always requires
> authentication for a login process. Someone who is able to open up a
> terminal has already authenticated. Or what case do you mean?
> 
> 
>>The same should be if someone wants to copy the hard disk, only if he
>>knows the password he can succeed else the only thing he gets is garbage.
>>Is there something like that?
> 
> 
> The kernel 2.6 meanwhile has encryption modules by default, so does the
> Fedora Core 2 kernel. Recently on the developer list was a discussion
> about how to use this with device-mapper to have a totally encrypted
> system.

I have a couple of  partitioned encrypted with device mapper and the 2.6 
kernel encrypting file system. I may be wrong but i do not think it can 
encrypt an entire hard disk but only the individual partitions in the 
hard disk.  The partition information is still not encrypted.  It 
appears to be to me (as a mere user) simply an enryption layer 
underneath a normal file system.

As such I do not think it encrypts the swap partition (which is a 
potential security flaw) and I don't know how to get it to encrypt the 
boot partition (as the boot image needs to be readable to load then it 
needs to be able to decrypt the other file systems).

In my situation I am not overly concerned about these deficiencies.  In 
fact I do not want to encrypt the OS incase I need to boot from the 
repair disk and fix the OS.  Howevert if there are any pointers how to 
overcome the deficiencies I would be interested in reading them.

As far as I can tell you need to be superuser to run dm-crypt and mount 
the resulting filesystems.  This means once this is done the data on 
those filesystems is available for all users with sufficient 
permissions.  This is not what the OP wanted as far as I can interpret. 
  They want it to only be available for one user and hidden from all 
other users.

>>Dalibor Malek
> 
> 
> Alexander
> 
> 
>

More information about the fedora-list mailing list