Has anyone tried encrypting the boot partition to prevent the kernel from being modified. Iv tried following this but I'm running into issues when building. [URL] Im using the source from bzr checkout [URL] Last time I tried I screwed grub and it wouldnt boot.
View 9 Replies
So I was wondering about the dilemma of how to encrypt the password file on a key card to unlock your harddrive without having to enter any password. I came to the conclusion that that the scripts could do this without storing any passwords in plane text them self. Have a few extra steps to the scripts that would:
1. Read the UUID of any disks coming in.
2. Attempt to use that ID to decrypt a password file stored in the initrd.
3. Use the decrypted password file to unlock the the keycard partition.
4. THEN use the password files on the keycard to decrypt the main partition and boot the system.
However, if somebody stole your key card and didn't know what the unencrypted information was, then it's harmless for them to have it anyway. And if they did know, you wouldn't be any better off with it being encrypted because they probably can gain access to your computer anyway; leaving them to just pop the key card in and automatically decrypt the drive.
I suppose encrypting the keycard would give you extra assurance that the information would be much harder to recover if you destroyed the key card in a hurry. So would this extra security step even be worth it?
I guess the most secure thing would be to only have a password and type it in every time... unless you are concerned about the aliens/government stealing that from your brain which would probably mean they wouldn't need your password anyway.
I'm trying to have a LUKS encrypted partition mounted at startup and to have GDM ask for my key so it will decrypt. Now I followed [URL] to the letter. Except for now, I have it just mounted into /mnt/cryptohome so I'm not messing with my system. My problem is the one everyone mentions in the comments, ubuntu isn't asking for the LUKS key in the X display, it's asking in the first terminal (Ctrl-Alt-F1). This will not do. I need it to ask to mount my drive before I'm even asked to login, so eventually I can encrypt my /home.
View 9 Replies View RelatedI need a FREE solution that can image an entire Luks system encrypted volume and the rest of the used HDD, the MBR and /boot partition. Note: MBR and /boot are not encrypted. Note 2: I want to be able to restore entire drive from image with only a couple of steps. Note 3: Destination HDD space is a factor. Image file must be compressed and the image file must be around 40 to 50 GB or less. The smaller the image the better.
I have used clonezilla live cd before but not for encrypted volumes. I know you can install it in Linux. But, I don't know how to configure it after installation. I would be very happy if someone could tell me how to configure clonezilla in Fedora. How to guides are also welcome. I have one more question. If I image the encrypted volumes and all the stuff I mentioned above while logged in to Fedora, and I restore the drive from the image, will the recovered drive still be encrypted?
I have Kubuntu 11.04 64-bit installed (software upgrade from 10.10) and I have a separate /home partition. I want to encrypt my /home partition (and perhaps the swap partition as well) but I don't want to have to reinstall Kubuntu. (Mostly because it was a software upgrade and I don't have an 11.04 disc.) I found a tutorial for Encryptfs via one of the stickies that mentions post-install migration, but it says that using Encryptfs on a separate /home partition is more complicated than if it were part of the root partition and that the CDs don't have any software to preserve and configure existing encrypted /home partitions. (Granted this tutorial is made for 9.04, so things may have changed.)
Also, this tutorial makes it sound like if you have your /home directory encrypted that the encrypted data is stored in a folder on the root partition. Is it done the same way if the /home directory is on its own partition? Because I don't think my root partition is large enough to have all of my /home data. (I purposely kept it small because the root partition doesn't seem to get very large.)
I would like to encrypt my swap partition ...During installation, I tried to select the "encrypt partition" choice, but it needed a passphrase.After installation, I tried to encrypt my partition ... I followed this article: The problem is that my swap partition always changes its path ...When I first booted the system, it was /dev/sda10, next it became /dev/sdc10, now it is /dev/sdb10. This is probably the reason why in fstab all entries are according to UUID.However, the swap partition is not fond of UUIDs ! I tried to mkswap /dev/<current swap partition> -L Swap, I received a UUID, puted it in /etc/crypttab ... it worked for the first time ... but the second time... did not.
View 14 Replies View RelatedI have a LVM logical volume, that contains a LUKS encrypted volume, on which is an ext4 filesystem. I shrank the partition to the minimum size. Next step is to luksClose the device, and then to resize the LVM logical volume. I suspect that LUKS has overhead. So if the ext4 filesystem was resized from, say 1TB to 500G, I have the idea that resizing the LVM LV to 500G does not take LUKS overhead into account and this might corrupt data on the end of the FS. So, what's the smart move to take? How do I calculate the safe minimum LV size? Or should I just give the 500G disk a few gigabytes extra to be sure?
View 4 Replies View Relatedif encrypt my root partition with Luksformat on my laptop and the battery suddenly goes out without a proper shutdown, I stand a big chance on corrupting the luks header or key slot?
View 1 Replies View RelatedI'm trying to migrate my LVs over to a Luks volume (prompt on password at boot). Unfortunately, as soon as I add my luks-encrypted physical volume to my volume group, I'm no longer able to update my grub configuration. I've detailed my steps below:
I've created and unlocked my encrypted partition with the following:
Code:
sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 crypto_agilityssd
My /etc/crypttab looks like this:
[Code].....
I'm running Karmic Server with GRUB2 on a Dell XPS 420. Everything was running fine until I changed 2 BIOS settings in an attempt to make my Virtual Box guests run faster. I turned on SpeedStep and Virtualization, rebooted, and I was slapped in the face with a grub error 15. I can't, in my wildest dreams, imagine how these two settings could cause a problem for GRUB, but they have. To make matters worse, I've set my server up to use Luks encrypted LVMs on soft-RAID. From what I can gather, it seems my only hope is to reinstall GRUB. So, I've tried to follow the Live CD instructions outlined in the following article (adding the necessary steps to mount my RAID volumes and LVMs). [URL]
If I try mounting the root lvm as 'dev/vg-root' on /mnt and the boot partition as 'dev/md0' on /mnt/boot, when I try to run the command $sudo grub-install --root-directory=/mnt/ /dev/md0, I get an errors: grub-setup: warn: Attempting to install GRUB to a partition instead of the MBR. This is a BAD idea. grub-setup: error: Embedding is not possible, but this is required when the root device is on a RAID array or LVM volume.
Somewhere in my troubleshooting, I also tried mounting the root lvm as 'dev/mapper/vg-root'. This results in the grub-install error: $sudo grub-install --root-directory=/mnt/ /dev/md0 Invalid device 'dev/md0'
Obviously, neither case fixes the problem. I've been searching and troubleshooting for several hours this evening, and I must have my system operational by Monday morning. That means if I don't have a solution by pretty early tomorrow morning...I'm screwed. A full rebuild will by my only option.
I'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be:
HP dv6-3040us Pavillion laptop
AMD Phenon II
4GB DDR3
Anyone had any experience with unlocking a LUKS encrypted root partition via ssh? It is ok to leave /boot unencrypted.
There are a few pages from google with the debians variants, archived by putting dropbear into initrd.
I like to do that with my fedora/centos remote servers, but struggle to find any resources specific to it. Anyone has any suggestions and thoughts as to what might be a suitable way forward?
I've created a /tmp partition on a server that I would like to encrypt in a fashion that doesn't require a password to be entered on boot because this server is in a remote data center. Storing the password on the server so that it can automatically boot would obviously defeat the purpose of encrypting in the first place. Skipping automounting is another option but I'd really like to avoid that because there are a number of other services that would have to be suspended until the /tmp partition is online.
I found this article designed for centos (HowTos/EncryptTmpSwapHome - CentOS Wiki) which seems perfect since it generates a key randomly on boot and that key is destroyed and regenerated on each successive boot. However, the script doesn't seem to work on openSUSE - it throws errors saying . /etc/init.d/functions doesn't exist, restorecon command not found, action command not found, etc. Is there an openSUSE-ish way to achieve promptless partition encryption?
In /etc/default/rcS I have set FSCKFIX=yes. This solves a recurring 'no init found' problem that prevents my machine from booting. Occasionally however, the setting reverts (by itself somehow) to FSCKFIX=no. Thus my machine cannot boot. Is there a way that I can prevent this file from being changed?
View 1 Replies View RelatedI'm writing here because it's mainly a security issue even though it's rather kernel related.
I'm compiling my own vanilla kernel with an initramfs included in the bzImage. That image contains encryption keys for the rest of the system. Even though it's not for everybody the initramfs image can be extracted from the kernel, decompressed and the keys extracted.
I'm looking on a way to prevent this.
I'm having a problem auto-mounting a new luks partition. I have crypttab and fstab entries. I already have my primary encrypted partition (root) mounting at boot (from the install), but after creating this one manually, it does not open on boot. It auto-mounts when I run the following command manually after boot: sudo luksOpen /dev/disk/by-uuid/<uuid> mycrypt
/etc/crypttab entry:
personalcrypt /dev/disk/by-uuid/a1af5b7b-db58-4690-b586-b74407795e2c none luks
/etc/fstab entry:
[code]...
The ability to manually boot using the Grub command-line constitutes a big security risk in Linux, IMO.Any OS can be booted in this manner from a PXE-LAN, USB, or CD/DVD drive, circumventing BIOS-imposed boot restrictions. (Once a foreign OS is booted, of course, it can be used to access any part of an unencrypted hard drive.) Placing passwords or locking menu items (in the Grub configuration files) does not prevent a user from booting manually using commands entered at the grub command-line.
As it stands now, when presented with the Grub menu (or after bringing up a hidden Grub menu with the "ESC" key), a user only needs to hit "c" to enter the Grub command-line mode to facilitate any type of bootup whatsoever. (They can then enter manually the Grub commands to boot an OS on any device.) This is extremely insecure and allows any passerby to boot the computer with a few keystrokes and a bootable USB drive. How do I configure Grub so that it will require a password in order to enter the command-line mode (and thereby restrict boot options to the menu, which can then be password protected/locked) ?
When I upgraded from FC11 to FC12 of the encrypted raid partitions started to request password on boot (in FC11 not having references to encrypted md1 in fstab and crypttab, was enough for FC11 not to ask for passwords on boot) despite the fact that I removed /etc/crypttab and there is nothing in /etc/fstab relating to encrypted md1 (raid array). I want my machine to boot w/o asking me passwords for encrypted devices, and I will open and mount them myself manually after boot.
View 11 Replies View RelatedI have install a debian jessie in my laptop, i create a lvm volume with /, /home, etc and a /boot partition outside. the i move this partition to the lvm volume and boot from it, everything it´s okay and it works.
The problem is that wen boot it ask me the passphrase to load grub, and then, when grub loads the kernel, it ask me again the passphrase.
I read that i can pass a key file to the initramfs to solve this, but where i see it, he uses mkinitcpio, and i can´´t find this package in the debian repos, it an arch package, also i tried this option [URL] ...
But it asking me the passphrase 3 times, and the third fails, the sistem starts, but i read the fail in the log.
My computer was working this morning and both hard drives were working fine, then all of a sudden for about two hours I was stuck with this "problem", then after fumbling and moving and stablizing things, then Windows works? See below for details. I've finally reinstalled both hard drives, but the one with the Linux partition doesn't work: it says nothing is discovered on the disk. I can't login at the LUKS login after grub starts, therefore I can't get into Linux, but Windows works?! I used to be able to go directly into Grub when the computer starts, I forgot how to do that but it doesn't matter. If you need details I'd be glad to provide them. I just wondered why Linux doesn't work, but Windows does. I have Linux & Windows on two different separate hard drives
View 5 Replies View RelatedI have an Ubuntu 10.04.1 LTS server that I set up a while back and I am considering encrypting the whole box. I store everything on the server and if it were stolen from a home robbery it could be quite devastating. The server is using two 750 GB SATA hard drives formatted with LVM. Inside the LVM I have a small partition on the first drive for the OS, SWAP, and everything else on the first and second drive is /var/media which is where I store all the data. I have set up an encrypted LVM on my laptop but that was during the install using the automatic method.
I can't figure out how to do what I want to do and I don't want to risk destroying the data on the server. What I would like is to non-destructively encrypt the server (System, SWAP, and DATA partitions) similar to how TrueCrypt works on Windows and I'd like the encryption key to be stored on a USB thumb drive so when the server boots it requires a hardware key. (And have the encryption key backed up online in case the flash drive dies.) And I'd like to use AES 256.
Code:
I need to change my LUKS partition to NTFS as I do not need the boot partition any longer, but I need to keep sdb3 (truecrypted ext3) intact. This is how the disk looks now:
Code:
Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
[code]....
why the following doesn't work with ext3 or 4?
dd if=/dev/urandom of=/tmp/container.bin bs=1024 count=20000
sudo losetup /dev/loop2 /tmp/container.bin
sudo cryptsetup -c aes -s 256 --verify-passphrase luksFormat /dev/loop2[code].........
We use a squid proxy server for all http traffic. Is there any way to configure squid so that all traffic which squid and workstation communicates is SSL and encrypted ?
View 2 Replies View RelatedI currently have my home folder encrypted with 128 bit encfs but i have the back up of that 'in the clear' on my back up hard drive. I am not that great with complicated instructions and especially the terminal so what if any is the easiest program to encrypt with?
View 9 Replies View RelatedWhat is the easiest way to encrypt plain text content with a password only? I need to encrypt client login information, but I hate dealing with all the unnecessary complexities of Linux's encryption systems.
I know I am going to get a bunch of people telling me how perfect Seahorse and whatever is, but Seahorse and the default /home directly encryption have both given me too many problems when decrypting my information. I prefer to preserve my data rather than using these methods.
I got ubuntu 10.04 lucid lynx along with windows (dual boot) and using Grub. On my computer, I have my C:/ (programs) and D:/ (data). I've never used my D:/ before that day that I've lost my windows partition on my grub menu. I usually use my D:/ with windows. The first time I used my D:/ to store data with linux, I lost my windows option in my grub menu. I'm not sure what I did wrong but I do want to restore my windows option in my grub menu.
After "fdisk -l",
I checked in /boot/grub and there is no menu.lst to modify. how I can get back my windows option in my grub menu ?
i have recently installed thunderbird on my fedora 11 box and so far so good. i am interested in encrypting my emails and digitally signing them as well. does anyone have documentation as to how i can do this? i messed around with it last night but i was not able to import a valid certificate.
View 14 Replies View RelatedI'm installing fedora 12 on a laptop using the live cd, and I have a few questions about the encryption process.
First, I'd like to fill the drive with random data. I've read the fedora documentation and it suggests using the following command: dd if=/dev/urandom of=<device>. The installer didn't offer an opportunity to do this, so I opened a terminal and typed the command. I expected it to take hours on my 160 gig hard drive, but it only took about 3 minutes, and indicated about 600 megs of data had been written. Did I do it correctly? According to palimpsest, my boot partition is sda1 and the other partition is sda2, so that's the one ran the command with.
Second, I need some advice on what to encrypt. The installer shows me the following layout after I select encryption:
LVM Volume Groups
Hard Drives
I know I can't encrypt boot, but I can encrypt lv_root and lv_swap. But is it necessary to do that? And tell me the pros and cons of using a boot loader password?
I encrypted my hard drive on my media PC but it's really annoying having to type in a password every time I turn it on. I chose a short password so it was quick and easy to type in but is it worth encrypting data with a weak password?If the computer is suspended, someone could come along and resume the computer. They would be presented with a locked GNOME session) but the data would be unencrypted; does this go against encrypting the hard drive? Or does the locked GNOME session provide enough security to keep an intruder out?
View 9 Replies View Related
