Ubuntu Security :: Methods To Store Password For An Encrypted Filesystem?
Nov 27, 2010
I've created encryption systems on servers, but nearly always I have stored the password somewhere on the machine itself. The file is always 0600 to the relevant user, but a systematic analysis of my system could easily find the scripts that invoke decryption and discover the password. (The most blatant example of this is mounting SMB shares with the "-o credential_file" option where both the username and password are plain-text. In the cases where I've used this, the security of the share hasn't particularly mattered.)
Soon I might be faced with storing "patient health information" (PHI in the healthcare world) whose privacy is heavily regulated by the provisions of the US law called HIPAA. I've been thinking about creating an encrypted partition to hold the PHI, but I need a highly fault-tolerant method for obtaining the key from a different machine than tha server itself. At first, I thought about running a script using scp and shared keys to copy the key from the remote, use it to decrypt the partition, then erase it. I'd like to be able to do this with a pipe; otherwise I'll write the key in a non-persistent location like /dev/shm.
I need more than one machine to make this work to ensure I can obtain the key when needed (like at boot). One solution is to place copies of the key on multiple servers and try each of them until I find it. A more elegant solution would place the key in a DNS TXT record. I suspect I could use LDAP for this as well, but OpenLDAP and I have never really been on speaking terms. So does this make sense? I presume I can write a bash script to do all this at boot. Most of what will be stored in this partition is the PostgreSQL database in /var/lib/pgsql and perhaps some other files.
My understanding of encrypted file systems is that they are only encrypted when unmounted. When mounted they must be as visible to the operating system as an unencrypted partition. I suppose you could apply encryption to every single disk transaction, but that would require knowing the key all the time, and would seem to add a lot of overhead.
View 1 Replies
ADVERTISEMENT
Jul 14, 2011
there are some configuration files where linux require the password of application user, to do something.how can i to encrypt the password in these files? Or how can i to store that password in encrypted file and retrieve it in secure mode?
View 2 Replies
View Related
Apr 23, 2010
Is it possible to have the passwd file for svnserve encrypted, rather than store the usernames/passwords in plain text?
View 3 Replies
View Related
Jan 31, 2010
There was a recent thread in this forum regarding capturing of SSH passwords via the use of wireshark. The thread subject was closed, which is a decision that I both agree with as well as agree with the reasoning behind. The thread, however, raised a point of curiosity and concern that I would like to ask about. Quoting from a the book, SSH, The definitive guide,
The client authenticates you to the remote computer's SSH server using an encrypted connection, meaning that your username and password are encrypted before they leave the local machine. The SSH server then logs you in, and your entire login session is encrypted as it travels between client and server. Because the encryption is transparent, you won't notice any differences between telnet and the telnet-like SSH client.
I was under the impression that SSH was impervious to this type of eavesdropping, and quite frankly I take great comfort in that idea. I personally, only allow RSA keys for SSH access and (hopefully) avoid this problem (?) as a result. Does SSH really have a vulnerability in that the authentication is sent via plain text? How to ensure the security of SSH and not on anything that could be considered a how to 'crack' it.
View 6 Replies
View Related
Apr 25, 2011
I'm running Thunderbird with Enigmail, and I have this very annoying problem. When I open an encrypted email for the first time, it asks me for my key password. It then remembers my password. This is fine for a few minutes, since I don't want to enter the password every time if I look at seven emails in five minutes. However, I WOULD like it to EVENTUALLY forget. At the moment, it doesn't even forget if I shut off Thunderbird. I have to restart my computer, in fact.
The preferences for Enigmail don't help. I've configured it to remember the password for 0 minutes, for example. I don't know how to edit the preferences for gpg-agent or anything else like that.
View 2 Replies
View Related
Mar 10, 2010
When I first installed 9.04 (from scratch), I chose the option to have my entire account encrypted... I used the same password as my login password, and wrote down the key hash that it displayed for me just like instructed... everything was working terrific...Well, yesterday, I wanted to change my account password. I changed my account password, and it took effect immediately (I tested it by using "sudo -s" to see if I could elevate to root from the terminal... worked just fine). Being satisfied with my new password, I shut my computer down...
The next time I started it up and tried to log in to my account, it I put in my username and password and pressed enter, and it accepted it just fine, and started to boot to my desktop... it then immediately prompted me with something about "your session lasted less than 10 seconds, try starting in failsafe mode" or something along those lines, and immediately booted me out and back to the gdm login screen... I thought it was just a glitch so I tried again... same thing... gave me the "less than 10 seconds" prompt and booted me back to the gdm...
I thought maybe my filesystem became corrupted, but I didn't give up... I attempted to login to my fiancee's account, and it worked just fine! Using her account, I was able to quickly and safely boot into her desktop environment with no errors...I opened a terminal and used the "su" command to access my account... When I did this, it gave me some kind of error and told me to run ecryptfs (can't remember exactly which command... now). I ran ecryptfs and put in my NEW password... it told me that the passphrase was incorrect. So just out of curiosity, I ran it again, and this time put in my OLD passphrase, and it worked immediately! At this point, I realized that my gdm login password got changed, but my ecryptfs passphrase did not, and the two were not matching up (I assume that on login, gdm passes this password on to ecryptfs, and that when the two did not match up, it was booting me out with the whole "session lasted less than 10 seconds" prompt...)...
So what I did at this point was, while logged into my girlfriend's account, I "su"'d into my account, and used the passwd command to change my password back to my OLD password... once the password was changed back successfully, I restarted my computer and tried to log into my account from the gdm... worked perfectly this time with the old (original) password...When you change your session password, shouldn't it automatically change the encyrption password to match? Or at the very least, warn you that if your account is encrypted, you must take further steps to make these two passphrases match? Also, what command would I use to change my "ecryptfs" password to manually match my session password?
View 4 Replies
View Related
Apr 12, 2009
I have F10 installed on my laptop with disk encryption enabled. When I boot the machine I get a "Password:" request on screen but can't start typing for 30 seconds or more.Presumably the OS is not ready. This means I have to wait at the keyboard tapping a key until I see asterix. It's a waste of time and frankly a bit clunky for a modern OS. How can I change the behaviour so that the "Password:" request only appears when I can actually type?
View 4 Replies
View Related
Dec 1, 2010
I keep my bank account numbers and passwords in a kwallet file. I would like to buy some external usb flash disk as a backup to keep the file inside. if there is an encrypted way in linux to store the data inthere?
For example: Buy a stick that encrypts the data Encrypt the data by using some filesystem. Does this work on every usb stick?
View 1 Replies
View Related
Mar 7, 2011
I installed Ubuntu 10.10 64 on my laptop with the entire 500gb setup as encrypted LVM. This has worked well for several months with no problems. During this time i have been backing up the data to an external usb drive (1tb) on a regular basis. The usb drive was not encrypted. So, I thought it would be a good idea to encrypt the backup drive too. I wiped out the backup drive and set it up as one large encrypted lvm and mbr. This seemed to work fine but immediately afterwards I decided to erase that and set it up as encrypted lvm guid instead of mbr. I couldn't delete it while logged into my desktop so i decided to do it from a bootable gparted usb stick. In gparted i erased the 1TB backup drive once again and planned on setting it up the way I wanted once I was logged back into my ubuntu desktop. Now I cant boot into my desktop with the following errors:
cryptsetup: evms_activate is not available b0d) does not begin with /dev/mapper/
Then after waiting for a few minutes I get an error followed by (initramfs)
When booting from a live version of ubuntu the 250MB boot patition is recognized and 500 partion is there but it is labeled as empty/unused.
Also, I did choose to use the exact same passphrase as what is used on the main bootable drive when I set up the encrypted partition on the external 1TB drive.
View 9 Replies
View Related
Jul 14, 2010
So I have forgotten my password, like a moron, and have been trying to reset/recover it.
I have found the plethora of sites giving instructions on how to reset my password, such as psychocats.net
So have gotten into the root shell and this is what I type.
ls /home
(gives me the name of my account)
passwd (my account here)
unknown user (account name here)
I have also tried doing the editing the boot kernel.
I add this: rw init=/bin/bash
Once I restart I get the root@(none) command prompt. Then I type passwd (username here) and get back ' unknown user
View 9 Replies
View Related
Jan 5, 2010
I've just started using ubuntu one. However, some of the files I store on there are sensitive so I encrypt them using seahorse. Right click, encrypt etc etc. My question is, is there a way to automatically get the encrypt process to delete the un-encrypted file when it makes the new encrypted copy?
View 6 Replies
View Related
May 12, 2014
I work with python and I use emacs as my IDE tool. I have been running Debian Squeeze (6.0.9) for some time now with emacs 23.2.1 and ecb 2.32. I am able to access my python methods in the ecb-methods window with no problems. However I recently upgraded my desktop to Debian Wheezy (7.5) running emacs 23.4.1 and ecb 2.40 but I have lost access to the methods in the ecb-methods window. The window is just empty while the others (directories, sources and history) are all populated. I have a second laptop which I decided to upgrade to Debian Jessie, however Jessie recommends emacs 23.4.1 which is running with ecb 2.40 also. The result is the same as on Wheezy.
I have used the ecb menus and googled for a solution or even just a mention that such a problem exists but have come up with nothing. Either I have a unique situation here or am doing something really dumb.
I would like to upgrade to Wheezy or Jessie but I need access to methods in the ecb methods window. How to keep my upgrade and see the methods in the methods window of the ecb system ....
View 0 Replies
View Related
Jan 27, 2011
I need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?
View 4 Replies
View Related
Jan 20, 2010
I have a external HDD with eSATA and USB connectors available. I want to use this HDD to store my backups. The HDD should be encrypted (my main system is as well).
So here is what I did so far:
1) I used the following code to create the encrypted LUKS partition with EXT3 Filesystem:
Code:
cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sdb1
cryptsetup luksOpen /dev/sdb1 luks
mkfs.ext3 /dev/mapper/luks
The system always hang when I executed the "mkfs.ext3..." command, so I switched the HDD from eSATA to USB and then it worked fine.
2) When I switched on the ext. HDD the first time, the drive was recognized automatically and Nautilus asked for the password. I typed it in as checked the checkbox to remember the password in the future. For the backup I use a nice script that I found in another forum, where I can define a mountpoint and then the script will check for previous backups and only make a incremental backup based of the latest version. The script also mounts the drive automatically. In order to always have the same mountpoint, I want to make an entry in the /etc/fstab using the UUID of the ext. HDD.
Whatever I tried, it doesn't work. What am I doing wrong? Here is my current /etc/fstab
Code:
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/mapper/ubuntu-root during installation
UUID=2ea47421-73ce-4c66-9606-8a1db81ae640 / ext3 relatime,errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=dbdeb793-1d4e-43ea-8986-7b37fdbc9674 /boot ext3 relatime 0 2
# /home was on /dev/mapper/ubuntu-home during installation
UUID=42702091-83e6-43eb-aad1-108f43eedf9d /home ext3 relatime 0 2
# swap was on /dev/mapper/ubuntu-swap during installation
UUID=e225bcf9-908b-4226-a963-6b02ee658df1 none swap sw 0 0
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0
# Eintrag wegen iPhone
none /proc/bus/usb usbfs devgid=125,devmode=666,nodev,nosuid,noexec 0 0
# external HDD
UUID=913977f7-8fa6-416f-af79-b5f913b68f53 /media/backup-hdd ext3 noauto,users 0 0
I made the "none /proc/bus/usb..." entry because it was recommended to ensure correct behaviour of the iPhone. Not sure if I need it though.
I created the mountpoint with this command:
Code:
sudo mkdir /media/backup-hdd
Now it seems the mountpoints owner is not root - strange right?
Code:
2 4 drwxr-xr-x 3 michael michael 4096 2010-01-15 02:45 backup-hdd
How should I mount this drive correctly? It will be automounted as every USB device, but that should not be the case. I want the script to mount and unmount the drive.
View 2 Replies
View Related
Dec 1, 2010
Recently I was forced to hard reset my computer a couple of times (mostly out of frustration) and due to my idiocy i was confronted with the standard Kernel Panic message at bootup. I tried running an fsck from live cd which corrected a bunch of errors but to no avail (as far as getting rid of the Kernel Panic msg). I then tried to mount the filesystem by accessing it from live cd (and later even installed ubuntu on a small leftover partition to get rid of the annoying live cd lag) but it says that I don't have access to my home or root folder. Mounting from command line gave the same issue.
So now to the question. Is there a general procedure to access data in my corrupt filesystem if it is encrypted?
View 7 Replies
View Related
Mar 2, 2010
I have an encrypted filesystem that I've decided I don't want encrypted anymore. Seems the easiest way to do this is simply reformat the filesystem, but I can't. If I try to do it in YaST2 I get either system error code -3005 (unknown) or -3008 (apparently in use). When I try to do it from the command line I get:
Code:
frylock:/home/joel # umount /dev/sdb5
umount: /dev/sdb5: not mounted
frylock:/home/joel # mkfs -t ext4 /dev/sdb5
mke2fs 1.41.9 (22-Aug-2009)
/dev/sdb5 is apparently in use by the system; will not make a filesystem here!
frylock:/home/joel #
It's unmounted, I don't know how to make it any less in use than that.I can't delete the partition because it's not the last logical partition in the extended partition.
View 9 Replies
View Related
Jul 19, 2010
I forgot my email password which was stored in evolution. The gnome wiki says it's in ~/.gnome2_private/Evolution/ but I don't have this directory. does anyone know where the password is stored? I'm using 10.04
View 3 Replies
View Related
Jan 12, 2011
Is this irrelevant if you are using the kde install disc? I want to use a encrypted filesystem. I would think since I am using kde that I would have a graphical interface.
View 10 Replies
View Related
Mar 24, 2010
Is it somehow possible to boot a Linux operating system from an encrypted filesystem/disk without having uesr interaction? Background: I am preparing a VmWare Image for shipment to a customer. This image contains sensible data. The only access granted shall be via an apache server running from inside in the image.
View 1 Replies
View Related
Jul 26, 2011
I'm looking for a way to store an encrypted filesystem on rsync.net which can be mounted and used by multiple clients concurrently - I've considered and experimented with many different ideas, including code...
but all of them are leading me to what looks like a fundamental theoretical problem: a filesystem with concurrent access needs someone to manage it, and who's going to manage it if I can't trust the server? Or refuse on principle to trust the server? There would need to be some trusted entity communicating with every client and making decisions to keep the filesystem and/or block device consistent, right?
Is my understanding correct, or is there any way of achieving what I'm trying to do?
View 1 Replies
View Related
Sep 20, 2010
I'm using a command in Linux which generates an eight character random password. the problem is when i execute the command, the generated password have shown and isn't store anywhere i can use.How can I store this password into a file or pipe the command to save the password into desired file directly?
[code]...
View 5 Replies
View Related
Aug 24, 2010
I am trying to create an encrypted file and later mount it as a filesystem.
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
echo $KEY | openssl aes-256-cbc > container.key
dd if=/dev/urandom of=~/container.img bs=1G count=10
losetup /dev/loop0 ~/container.img
[code]....
The luksOpen command asks me for my passphrase, but always rejects it. I have retried this several times and written down the passphrase - and even tried with a very simple one just to check. And I never can make it work.
View 2 Replies
View Related
Jun 28, 2011
how can I set the keyboard layout used by Debian to enter the password of my encrypted filesystem?
After my recent "aptitude upgrade", I have not been able to mount my encrypted filesystem anymore. I have discovered that the keyboard layout used to enter the password has changed. Problem is that with such layout I can't enter some of the characters composing the password. The encrypted filesystem looks intact, since I have been able to mount it and backup my files by means of a live CD. That means that I can edit any system file, if needed.
Every technique I have found to change layout cannot be employed in this case, since they rely on the system being up and running. I've tried editing /etc/default/keyboard, but that does not work.
View 2 Replies
View Related
Jan 4, 2010
I have two ext3 partitions within an encrypted lvm2 volume. when i start up my system it says that there are 0.3% non contiguous blocks.
This is my steup:
When i want to repair with repair system from dvd it tells me that the repair and check operation for encrypted LVM devices is not supported. so how can i fix my filesystem?
View 4 Replies
View Related
Dec 11, 2010
When I try to mount a linux file system that was encrypted using cryptsetup I get the following error:
debian:/# mount /dev/sdb3
Command sukey slot 0
mount: u moet een bestandssysteemsoort aangeven
mount failed with run_sync status 32
Command failed: Device busy
mount.crypto_LUKS(crypto-dmc.c:168): Could not unload dm-crypt device "/dev/mapper/_dev_sdb3", cryptsetup returned HXproc status 240
"mount: u moet een bestandssysteemsoort aangeven" is dutch for
"you must specify filesystem type"
View 10 Replies
View Related
Jul 19, 2011
I want to store my svn password in the gnome-keyring so it is encrypted and 'secure'. I made the necessary changes to ~/.subversion/config, but even after running a few svn commands, I do not see an entry for SVN in the keyring.
What else do I need to do to get SVN using gnome-keyring? I will also be using this with git-svn.
View 2 Replies
View Related
Apr 26, 2011
I have implemented a web application on Linux that I want to deploy and sell to customers. I want to sell ready systems including the hardware. The application is written in PHP/MySQL. What I am searching to achieve is :
1) Find a way so that filesystem and partitions to be encrypted but without the need to insert some code when rebooting. So that if someone gets out the hard disks and attach to another system, cannot have any access to my files or settings. And of course when rebooting (e.g. after a power failure) encryption to be applied automatically.
2) I know that there are ways to bypass root password on a Linux system. Can all these ways be unassigned ? I want the only way to have access to system, to be by using the root password and nothing else.
I have thought of using a virtual server instead of a physical one (like deploying a virtualbox server) but still would like this to be the most secure possible including not only remote but also local access to system.
View 5 Replies
View Related
Feb 4, 2010
I started to work on building a ftp by vsftpd in our lab (that's only for our lab members). I am going to setup some the virtual users for each of the member. We have a CentOS5 (without upgrade after the fresh installation). I try several ways to setup the vsftpd for virtual users. 1) with db4 2) with mysql 3) without database and use htpasswd. But all fails. Actually, I don't want to use database, so I am going to find out the reason of failure on 'htpasswd' method
My vsftpd is installed in /etc/vsftpd (for only using ftp account, it is no problem to login).
1) I setup an account called vftpuser and build the corresponding home (/home/vftpuser), and then I setup another account call usera and also create a directory within /home/vftpuser.
2) I use htpasswd to add passwd to usera and store the passwd in /etc/vsftpd/passwd.
3) I added the name of usera to /etc/vsftpd/user_list
4) I create a directory /etc/vsftpd/user to store a unique conf for each user (for usera, the conf named usera) which contains the local root for users, which is
[Code]....
View 1 Replies
View Related
Jun 6, 2011
I have joined a number of websites over time and it seems harder to manage them. Would like advice on how to generate passwords and to store and keep track of them. I would like to hear of systems or programs that are good for this.
View 5 Replies
View Related
Nov 8, 2010
I have a .rar in my Downloads, I want to unrar this file to my Music folder, but the .rar is encrypted and requires a password.
I've tried a few commands like this:
Code:
But it tells me no files to unrar.
View 3 Replies
View Related
