Is it somehow possible to boot a Linux operating system from an encrypted filesystem/disk without having uesr interaction? Background: I am preparing a VmWare Image for shipment to a customer. This image contains sensible data. The only access granted shall be via an apache server running from inside in the image.
View 1 Replieshow can I set the keyboard layout used by Debian to enter the password of my encrypted filesystem?
After my recent "aptitude upgrade", I have not been able to mount my encrypted filesystem anymore. I have discovered that the keyboard layout used to enter the password has changed. Problem is that with such layout I can't enter some of the characters composing the password. The encrypted filesystem looks intact, since I have been able to mount it and backup my files by means of a live CD. That means that I can edit any system file, if needed.
Every technique I have found to change layout cannot be employed in this case, since they rely on the system being up and running. I've tried editing /etc/default/keyboard, but that does not work.
I'm looking for a way to store an encrypted filesystem on rsync.net which can be mounted and used by multiple clients concurrently - I've considered and experimented with many different ideas, including code...
but all of them are leading me to what looks like a fundamental theoretical problem: a filesystem with concurrent access needs someone to manage it, and who's going to manage it if I can't trust the server? Or refuse on principle to trust the server? There would need to be some trusted entity communicating with every client and making decisions to keep the filesystem and/or block device consistent, right?
Is my understanding correct, or is there any way of achieving what I'm trying to do?
Is it possible to get user interaction in these scripts? They are for batch processing is my belief so perhaps not, but I would like to make a function whereby I can click it, a selection box of an exact size appears, I then place the selection box and press something, a new file is born. Is this possible?
View 1 Replies View RelatedI have an encrypted filesystem that I've decided I don't want encrypted anymore. Seems the easiest way to do this is simply reformat the filesystem, but I can't. If I try to do it in YaST2 I get either system error code -3005 (unknown) or -3008 (apparently in use). When I try to do it from the command line I get:
Code:
frylock:/home/joel # umount /dev/sdb5
umount: /dev/sdb5: not mounted
frylock:/home/joel # mkfs -t ext4 /dev/sdb5
mke2fs 1.41.9 (22-Aug-2009)
/dev/sdb5 is apparently in use by the system; will not make a filesystem here!
frylock:/home/joel #
It's unmounted, I don't know how to make it any less in use than that.I can't delete the partition because it's not the last logical partition in the extended partition.
Is this irrelevant if you are using the kde install disc? I want to use a encrypted filesystem. I would think since I am using kde that I would have a graphical interface.
View 10 Replies View RelatedI have a external HDD with eSATA and USB connectors available. I want to use this HDD to store my backups. The HDD should be encrypted (my main system is as well).
So here is what I did so far:
1) I used the following code to create the encrypted LUKS partition with EXT3 Filesystem:
Code:
cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 luks
mkfs.ext3 /dev/mapper/luks
The system always hang when I executed the "mkfs.ext3..." command, so I switched the HDD from eSATA to USB and then it worked fine.
2) When I switched on the ext. HDD the first time, the drive was recognized automatically and Nautilus asked for the password. I typed it in as checked the checkbox to remember the password in the future. For the backup I use a nice script that I found in another forum, where I can define a mountpoint and then the script will check for previous backups and only make a incremental backup based of the latest version. The script also mounts the drive automatically. In order to always have the same mountpoint, I want to make an entry in the /etc/fstab using the UUID of the ext. HDD.
Whatever I tried, it doesn't work. What am I doing wrong? Here is my current /etc/fstab
Code:
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/mapper/ubuntu-root during installation
UUID=2ea47421-73ce-4c66-9606-8a1db81ae640 / ext3 relatime,errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=dbdeb793-1d4e-43ea-8986-7b37fdbc9674 /boot ext3 relatime 0 2
# /home was on /dev/mapper/ubuntu-home during installation
UUID=42702091-83e6-43eb-aad1-108f43eedf9d /home ext3 relatime 0 2
# swap was on /dev/mapper/ubuntu-swap during installation
UUID=e225bcf9-908b-4226-a963-6b02ee658df1 none swap sw 0 0
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0
# Eintrag wegen iPhone
none /proc/bus/usb usbfs devgid=125,devmode=666,nodev,nosuid,noexec 0 0
# external HDD
UUID=913977f7-8fa6-416f-af79-b5f913b68f53 /media/backup-hdd ext3 noauto,users 0 0
I made the "none /proc/bus/usb..." entry because it was recommended to ensure correct behaviour of the iPhone. Not sure if I need it though.
I created the mountpoint with this command:
Code:
sudo mkdir /media/backup-hdd
Now it seems the mountpoints owner is not root - strange right?
Code:
2 4 drwxr-xr-x 3 michael michael 4096 2010-01-15 02:45 backup-hdd
How should I mount this drive correctly? It will be automounted as every USB device, but that should not be the case. I want the script to mount and unmount the drive.
Recently I was forced to hard reset my computer a couple of times (mostly out of frustration) and due to my idiocy i was confronted with the standard Kernel Panic message at bootup. I tried running an fsck from live cd which corrected a bunch of errors but to no avail (as far as getting rid of the Kernel Panic msg). I then tried to mount the filesystem by accessing it from live cd (and later even installed ubuntu on a small leftover partition to get rid of the annoying live cd lag) but it says that I don't have access to my home or root folder. Mounting from command line gave the same issue.
So now to the question. Is there a general procedure to access data in my corrupt filesystem if it is encrypted?
I am trying to create an encrypted file and later mount it as a filesystem.
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
echo $KEY | openssl aes-256-cbc > container.key
dd if=/dev/urandom of=~/container.img bs=1G count=10
losetup /dev/loop0 ~/container.img
[code]....
The luksOpen command asks me for my passphrase, but always rejects it. I have retried this several times and written down the passphrase - and even tried with a very simple one just to check. And I never can make it work.
I have two ext3 partitions within an encrypted lvm2 volume. when i start up my system it says that there are 0.3% non contiguous blocks.
This is my steup:
When i want to repair with repair system from dvd it tells me that the repair and check operation for encrypted LVM devices is not supported. so how can i fix my filesystem?
I've created encryption systems on servers, but nearly always I have stored the password somewhere on the machine itself. The file is always 0600 to the relevant user, but a systematic analysis of my system could easily find the scripts that invoke decryption and discover the password. (The most blatant example of this is mounting SMB shares with the "-o credential_file" option where both the username and password are plain-text. In the cases where I've used this, the security of the share hasn't particularly mattered.)
Soon I might be faced with storing "patient health information" (PHI in the healthcare world) whose privacy is heavily regulated by the provisions of the US law called HIPAA. I've been thinking about creating an encrypted partition to hold the PHI, but I need a highly fault-tolerant method for obtaining the key from a different machine than tha server itself. At first, I thought about running a script using scp and shared keys to copy the key from the remote, use it to decrypt the partition, then erase it. I'd like to be able to do this with a pipe; otherwise I'll write the key in a non-persistent location like /dev/shm.
I need more than one machine to make this work to ensure I can obtain the key when needed (like at boot). One solution is to place copies of the key on multiple servers and try each of them until I find it. A more elegant solution would place the key in a DNS TXT record. I suspect I could use LDAP for this as well, but OpenLDAP and I have never really been on speaking terms. So does this make sense? I presume I can write a bash script to do all this at boot. Most of what will be stored in this partition is the PostgreSQL database in /var/lib/pgsql and perhaps some other files.
My understanding of encrypted file systems is that they are only encrypted when unmounted. When mounted they must be as visible to the operating system as an unencrypted partition. I suppose you could apply encryption to every single disk transaction, but that would require knowing the key all the time, and would seem to add a lot of overhead.
When I try to mount a linux file system that was encrypted using cryptsetup I get the following error:
debian:/# mount /dev/sdb3
Command sukey slot 0
mount: u moet een bestandssysteemsoort aangeven
mount failed with run_sync status 32
Command failed: Device busy
mount.crypto_LUKS(crypto-dmc.c:168): Could not unload dm-crypt device "/dev/mapper/_dev_sdb3", cryptsetup returned HXproc status 240
"mount: u moet een bestandssysteemsoort aangeven" is dutch for
"you must specify filesystem type"
I have implemented a web application on Linux that I want to deploy and sell to customers. I want to sell ready systems including the hardware. The application is written in PHP/MySQL. What I am searching to achieve is :
1) Find a way so that filesystem and partitions to be encrypted but without the need to insert some code when rebooting. So that if someone gets out the hard disks and attach to another system, cannot have any access to my files or settings. And of course when rebooting (e.g. after a power failure) encryption to be applied automatically.
2) I know that there are ways to bypass root password on a Linux system. Can all these ways be unassigned ? I want the only way to have access to system, to be by using the root password and nothing else.
I have thought of using a virtual server instead of a physical one (like deploying a virtualbox server) but still would like this to be the most secure possible including not only remote but also local access to system.
I am trying to run a cron job as an oracle user. I put the user in the cron.allow file but it still won't run. Other users are able to run a cron job though. I think it's the way the oracle user was created and I wanted to recreate it. However it owns a lot of other file systems as well as the database. Is there a way to recreate or reset the oracle account without impacting what is currently in place?
View 1 Replies View RelatedI'm using SQL Anywhere 10.0.1.3415, on Debian 5. For starting the DBMS, I use this commands:
Code:
# source /opt/sqlanywhere10/bin32/sa_config.sh
# dbsrv10 /home/demo.db
[code]....
I was wondering if there is a version of isolinux or a simular boot loader for Linux, that boots the kernel from an encrypted boot partition? If not, are there any roadblocks that would prevent adding encryption to isolinux?
View 2 Replies View RelatedI was running a somewhat standard install of Ubuntu 9.10, when my drive got pushed into read-only mode, so I switched to tty1, ran /etc/init.d/gdm stop, and then ran fsck -y /. It took an hour or too, but eventually finished. However, now that partition is unbootable, and upon attempting to boot into Ubuntu, it complains about libsepol.so.1 as missing and starts a recovery shell. In this recovery shell, only certain tools work. ls complains about libacl.so.1, and the filesystem is still read-only. When I try mount -rw /dev/sda1, it complains about libsepol.so.1 again. I can however still run fsck. I tried running it with fsck -p -f /, and it completes, much quicker, but the system remains unbootable. I could probably boot into the Ubuntu live-cd to get read-write access, but I wouldn't know what to do. I read an interesting suggestion here, but I don't know how I would go about reinstalling the base Ubuntu packages without write access to the hd, or through the live cd.
View 1 Replies View Relatedyou can refer to this ubuntu thread for context, but i'll sum up what i'm trying to do here to spare the reading. basically i want to be able to schedule a filesystem check with automatic repairs at the next boot time. but i'm not sure if this will try to automatically fix errors which is what i want to do. the reason i want to do this is because i experienced a power outage (the machine was not plugged into an UPS) and i want to make sure everything is ok.
View 2 Replies View RelatedJust did a new netbook install of Lucid. Went through the setup, putting in my usual username etc. But I thought as it's a portable, I'd better select the encrypted home folder option. All went OK.
I have a home network with a NAS and I needed to change the UID to 1004 to match the rest of the network.
That's when it all when wrong. If I do that, I end up with no permissions on the user folder. A bit of a paradox, you can't change UID if logged in, but unless you're logged in, can't access the files.
My attempts to get around it by changing UID's back chowning, changing back etc. have screwed things up completely.
I have managed to open the encrypted folder and chown, but after a reboot it's all back to the original UIDs, but now I can't get in at all.
I am trying to mount a file image, like this
mount -o loop /tmp/apps.img /media/apps
But I get the following:
mount: you must specify the filesystem type
I try ext3:
mount -o loop /tmp/apps.img /media/apps -t ext3
dmesg says:
error: can't find ext3 filesystem on dev loop6.
I've also tried ext2, vfat etc. How can I detect the filesystem type of apps.img?
I've had a look at some similar threads but as I'm very new to linux they're already a bit technical for me. Sorry, this calls for someone with patience. I gather from other threads that disconnecting an external drive without unmounting is a no-no, and this seems to be the likely cause. Now the disk is read only and I'm unable to change any settings through the usual control panel on ubuntu. I'm just not familiar with the terminal instructions. I tried to cut and past a few command lines from other threads but I got some warnings that proceding could damage data. Like this one: WARNING! Running e2fsck on a mounted filesystem may cause SEVERE filesystem damage.
View 5 Replies View Relatedthere is a way to mount, encrypted partitions as a normal user and not as root so that i may copy files into it using the file manager itself? even in the case of normal partitions other than /home, i can't seem add any data in them. the mount points i used are seperate directories within the /home partition?? also, is there a way to create partitions in such a way that it can be accessed, just as how windows partitions are accessed in linux?
View 9 Replies View RelatedI want to create a user with a encrypted home folder. I tried "sudo adduser --encrypt-home username" but I get following error "adduser: Could not find program named `ecryptfs-setup-private' in $PATH". I installed the cryptsetup package but without result.
View 1 Replies View RelatedHow can I get a LUKS encrypted partition on an external USB device automounted with r/w access for non-privileged users?
Background:
I just reformatted an external USB device with ext4. The only partition is LUKS encrypted. Now, when I plug the device to my computer, KDE notifies me and asks me to enter the LUKS passphrase. Then it mounts the device. Little snag here: Non-privileged users have read-only access.
My user is a member of group plugdev, but not of group disk, as this was discouraged several times, e. g. by Robby Workman. With non-encrypted disks regular users have read/write access, or can change the filemodes accordingly, as far as I recall (currently I have no more non-encrypted disks left to verify it...)
I want the users of the other machines, which have accounts in my server, to mount their home directories in the server. I managed to do everything, except that for the moment I can only mount their home directories by being the superuser of the server, a privilege that I don't want to give to the users. Also, I don't want their home directories to be mounted automatically. Thus, from a "normal" filesystem share, I want to: 1-The home directories of user in other machines be mountable in the user areas of the server (I can do that already).
2-I want that the users be able to mount by hand their directories, so that the directories are not permanently mounted. Currently, I can only mount and umount being the superuser of the server. I don't want to give superuser privileges to all server users.
3-I don't want their directories to be mounted on startup (otherwise I could simply add the mounts to /etc/fstab). Thus, does anyone knows how can I give the users the privilege only to mount a specific filesystem?
How can I give 1 user access to mount 1 particular filesystem? This is for Debian 6 64bit.
View 4 Replies View RelatedIn CGI scripts, there are certain files that are getting "permission denied" when it seems they should be accessible by the apache user. I am running the default package install of apache under fedora. Here is an example:The following is /var/www/cgi-bin/test.pl
Code:
#!/usr/bin/perl
use strict;
[code]...
I am very new to linux, and I have a question regarding the filesystem check (fsck). The power recently went out and when I tried to restart linux the following error appears:
*/dev/sda1 contains file system w/errors, check forced it then goes on to say..
*An error occured during the file system check. Dropping you to a shell; the system will reboot when you leave the shell. Give root password for maintenance (or type Control-D to continue) I wasn't sure what to do, but checked some other online forums and they suggested running fsck manually - so I typed in the root password - and used the command, "fsck -A -V ; echo == $? ==" it then gave the following message
*WARNING!!! Running e2fsck on a mounted filesystem may cause SEVERE filesystem damage
*Would you like to continue (y/n)
Again, I wasn't sure what to do so i just checked no. I then manually turned off the computer and was prompted at the beginning to press Alt-3. I was brought to another screen and it informed me one of the drives was degraded and suggested rebuilding the array. I tried doing this, but it still brings me back to the original error of, "/dev/sda1 contains file system w/errors, check forced," and the process continues.
Also, when I tried to rebuild the array, I didn't backup any of the data on our home directory before doing this (which was probably a big mistake). After being prompted to type the root password, I was able to give the ls command and look at all the directories...the home directory where our data was stored was empty and I am afraid I may have lost some information. Is there a possibility that data was lost when I was trying to rebuild using the old drives?
I had to get a new workstation and its Win7-64. I found out that my Palm TX will not work on their or is supported by the manufacturer (unless u have bluetooth, I dont). So I have been trying to get it to work on my Debian. Using "Palm Devices" "Gnome-Pilot" connects fine and backs up but I dont see any kind of GUI like Palm Desktop. So I still cant work with my palm or install software etc.
View 2 Replies View RelatedI have installed Red Hat Eterprise Linux as a Guest OS using VirtualBox on the Host OS Windows XP SP 2 on my PC. I want to access my local / intranet web site from this Guest OS which is running on the top of on Windows XP, the Host OS. I am not sure as to what IP Settings I need to do. Though I am able to access Internet from both the OSes. The IP of this Guest OS is:
Code:
[root@localhost ~]# ifconfig eth0
eth0
Link encap:Ethernet HWaddr 08:00:27:30:E9:72
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe30:e972/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1871 errors:0 dropped:0 overruns:0 frame:0
TX packets:1926 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1427538 (1.3 MiB) TX bytes:415769 (406.0 KiB)
Interrupt:11 Base address:0xd020
[root@localhost ~]#
I have installed Microsoft Self Loop Adapter (Autoconfiguration IP Address: 169.254.25.129) on the Host OS Windows XP. There is another adapter: VirtualBox Host-Only Network whose IP Address is: 192.168.56.1. So, how can we access intranet web site from the Host OS to Guest OS and vice versa. I also want to access this virtual Red Hat machine /console from within windows XP using PUTTY application. From Windows XP the Red Hat machine is pinging. But when I use the IP to access the machine through PUTTY it doesn't work.