[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Encrypt /etc directory

To: kgb <kgb@kgb.netel.bg>
Subject: Re: Encrypt /etc directory
From: Boyd Waters <bwaters+moz@aoc.nrao.edu>
Date: Sat, 19 Jul 2003 18:09:25 -0600
CC: linux-crypto@nl.linux.org
In-Reply-To: <1058652692.1011.38.camel@kgb.netel.bg>
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;linux-crypto-archive@nl.linux.org
References: <1058640735.1011.9.camel@kgb.netel.bg> <20030719190153.GB4697@debian.franken.de> <1058646575.1011.18.camel@kgb.netel.bg> <20030719205317.GR32101@obrien.1984.lan> <1058652692.1011.38.camel@kgb.netel.bg>
Sender: linux-crypto-bounce@nl.linux.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030708 Thunderbird/0.1a

kgb:

If I understand you correctly:

1) you need to store the password on some media readable by the computer 
because the machine may need to reboot without user intervention -- you 
want it to start up without typing a password.

2) you are concerned about people with physical access to the computer.

This is a reasonable collection of concerns for a co-located server (for 
example). But it is particularly difficult to solve.

Generally, a way to solve the "no user intervention" issue is to write 
the password on some media, called an access token. You could use a CD, 
USB drive, or a smart card.

The problem is that you will need to keep the token inserted into the 
computer, defeating any security advantage, I think.

The only way I can think of is for you to use an init RAM disk to 
acquire the token (password) from another computer, via a network 
connection. Then if the computer is ever stolen, you can disable this 
token (remotely, if need be).

This remote-token approach is at least as difficult as encrypted-root, 
which I think you will need anyway.

Consider using an NFS-boot ramdisk to get started.

best of luck,

-- boyd

kgb wrote:

> I understand but is that mean lets say when someone steal my computer
> and he can viewed all my data config files hm how can prevent this ? and
> if i can't is there have a way to encrypt only some config files with
> symlinks to /etc on encrypted loop device but in this way i must wrote
> my crypto password somewhere because i'm not able to type password
> everytime when server boot and ask for password to mount encrypted loop
> device and if i wrote it somewhere on hard drive this is insecure and
> for users i don't have users :) the big problem is when someone steal
> server what happen can i prevent this person from mount, view my hard
> drive ?

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

References:
- Encrypt /etc directory
  - From: kgb <kgb@kgb.netel.bg>
- Re: Encrypt /etc directory
  - From: erik@debian.franken.de (Erik Tews)
- Re: Encrypt /etc directory
  - From: kgb <kgb@kgb.netel.bg>
- Re: Encrypt /etc directory
  - From: Rob McGee <i812@softhome.net>
- Re: Encrypt /etc directory
  - From: kgb <kgb@kgb.netel.bg>

Prev by Date: Removal of Microsoft NET program and related items form our computer.
Next by Date: =?GB2312?B?16jStcn6svqhsLu3saPO/bjgobE=?= 16:20:19:380
Prev by thread: Re: Encrypt /etc directory
Next by thread: Re: Encrypt /etc directory
Index(es):
- Date
- Thread