Ubuntu Security :: Root Encryption Without Passphrase?
Sep 5, 2010
i have installed a ubuntu 10.04 (mini iso) w/ option of root encryption. Now i need to boot without ask for passphrase, but im trying to add a luks keyfile without success.i want to use a keyfile in the /boot partition or inside the initrd (cant be in external pendrive), but ubuntu aparently dont accept a keyfile in /boot or initrd file. I know, this way isnt very security, but i just need a basic encryption.So, how to force the use of a keyfile in /boot or inside the initrd for a crypt root partition?
View 5 Replies
ADVERTISEMENT
Jul 28, 2009
I have currently a file server that runs on Fedora 9, and all other PCs (mostly running Windows XP) access the file server via SAMBA. Everything works perfectly! However, lately a home invasion in my neighborhood got me thinking. If they take my file server, my data is not protected. So, I would like to implement the LUKS partition encryption (/home) which sits on a separate disk. However, I don't quite like the decryption process at boot time. In other words, I would like to wake up the file server (WOL) remotely, and when it's done booting, I would like to log-in using the other PCs and enter the passphrase remotely to decrypt /home. Is this possible using LUKS encryption (i.e., cryptsetup)? If not, what would be another alternative to what I am trying to do using a secure encryption (so that the data is safe from thieves)?
View 4 Replies
View Related
Feb 7, 2010
I installed ubuntu 9.10 to a fresh partition on a HD that already contains a windows xp. During the install I opted to Require my password to login and to decrypt my home folder, (don't ask why, I regret it already). The install went well, I think, but when it came to reboot time I wanted to check that I could start windows xp from the new grub boot loader. Windows started fine so I rebooted again to try my new install of ubuntu. Now the system seems to get stuck at the little spinning wheel icon. I tried to boot to recovery shell but after entering my name and password I get:
Unable to cd to '/home/myname'
I rebooted using live cd. And mounted the file system as root. Now I have chroot ed into the system but that's as far as my knowledge gets me. I have googled to find the next step but am not finding a clear answer. I have found this [URL]. And here I see I should have seen a screen entitled: Record your encryption passphrase. But I didn't get to that screen. So is there any elegant solution? or am I destined to wipe the install and start again? Perhaps this problem is connected to the bug mentioned here [URL]. Optional encrypted partitions must be marked bootwait in /etc/fstab
In addition to the above, users who have configured any encrypted partitions in /etc/crypttab to start at boot time (i.e., not using the noauto option) should make sure that the filesystems on these volumes are listed in /etc/fstab if they are not mounted at a standard system mountpoint. Failure to do this on a desktop system will lead to problems from the X server and cryptsetup trying to control the console at the same time. At best, this will prevent the user from seeing the passphrase prompt; at worst it will also cause the X server to spin and consume 100% CPU. (430496)
I'm not sure, my /home is not on a separate partition.
/etc/crypttab is empty
# <target name> <source device> <key file> <options>
/etc/fstab is
# /etc/fstab: static file system information.
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/sda2 during installation
UUID=8e5f54dd-8d79-44da-9ddf-7f4e3bce2a64 / ext3 errors=remount-ro 0 1
# swap was on /dev/sda3 during installation
UUID=32bcb9fc-ff2b-4e37-a259-1bfabee7cee7 none swap sw 0 0
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0
View 1 Replies
View Related
Jan 4, 2011
Ubuntu's request for an encryption passphrase on installation could be greatly improved.
After installation, if the option to encrypt the home folder has been checked, Ubuntu prompts: "Record your encryption passphrase".
On running the action there are the following problems:
# When you type a passphrase, your keypresses are not indicated on the screen
# If you make a mistake typing the passphrase, and backspace, there is no way of knowing whether the backspace operation has worked
# The passphrase is typed once and the operation ends. There is no attempt to validate the correct entry of the passphrase by asking for it to be typed twice.
The combination of these shortfalls can be fatal. My last recorded encryption passphrase proved to be incorrect when after a critical failure I was required to enter my encryption passphrase to retrieve my data. It had not been backed up for a while. Ubuntu did not recognise my passphrase. Only after some dogged support from Canonical was the problem resolved.
I've just done a fresh install. I have butter fingers. I inevitably fumbled over the entry of my encryption passphrase. I have absolutely no way of verifying the passphrase I just set. Should Ubuntu ditch another critical failure on me, what do you think the chances are that my passphrase will work?
View 1 Replies
View Related
May 31, 2010
I just upgraded to Fedora 13, with emacs 23.1. Now when I edit a .gpg (encrypted) file, emacs doesn't cache the passphrase, so when I save the file emacs demands that I repeat the passphrase twice.Previously, the following line in .emacs made it cache the passphrase:
Code:
(setq epa-file-cache-passphrase-for-symmetric-encryption t) This is supposed to work, according to the documentation [URL], but in Fedora 13 emacs it seems to have stopped working.
View 1 Replies
View Related
Sep 2, 2010
I'm trying to add a key to a new slot from a keyfile that I created, but I keep getting an error and I don't know what the problem is.
Code:
root@ubuntu:~# cryptsetup luksAddKey --key-slot 1 /dev/sda5 -d /media/Ubuntu_10_04/etc/cryptkeys/swap.key
No key available with this passphrase.
content of swap.key
Code:
nBPeNCr_PS-yEv5SYEyyzaEextllDLo7aHs7yZGW9dtC48GDlte6WYQe7iG2poJr84U6twxu1DImZcyoBPB1q1AjYAanPsre7qLr7VnN4G6u1x_WG-sja6U_pvnks9CTgcD4UmfBw9mkrU3YY4GknQXtpLvkiBkM1soJ0SYYQ2r-7CDZJvaiYJb9eOKKbMsjlrEG39IBdQwdcEp3D7PK5paTYZdVHU2ygrJvJy-sJly4oqb2274DO8hbYviQsPdawetglkhhhhhhh98h4erwjerfkasjnfhsahfocLnBPeNCr_PS-
[code]....
View 1 Replies
View Related
Feb 9, 2010
Simply, the number of possible combinations of passwords increases as an exponent of the number of characters used and as a factor of the number of characters available for use.
26 potential characters for a 2 character password results in 26^2 possible password combinations. This means that each new character added would result in an "order of magnitude" increase in the difficulty of brute force attack.
Using a phrase, complete with punctuation and capitalization is the very best mnemonic device to remember a password. Consider this, how hard is it to remember; The quick brown fox jumped over the lazy dog.
Than it is to remember, l33tsp34kp@ssw0rd
If we pretend that both of these passphrases are generated from a character set consisting of 26 characters, the first would be one of a possible 15274273784216769021564085930704478424313742483024 510976. The second would be one of a possible 1133827315385150725554176.
In short, use a passphrase not a password, they are much MUCH more secure.
View 14 Replies
View Related
Aug 4, 2010
I need an non-interactive, symetric, passphrase mechanism that can be used on machines beyond my sys-admin control. Currently, I use the Python code (with variants):
Stat, Output = commands.getstatusoutput(
"gpg -c --passphrase=%s '%s'"%(Password, TarFileName))
to encrypt and decrypt files (tar balls). The "Password" is generated by a Python code on a singular removable flash drive. It worked with FC11 and Windows, but with FC13 I get an interactive dialog, which gets canceled, and then: can't connect to `/home/{a user id}/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[3432]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of `testdata' failed: Operation cancelled
The operator does not know the pass phrase. This is a single user mechanism which relies upon the mounting of the special flash drive to work. The application is portable across many platforms and hosts, but can only be used by the possessor of the flash drive.
View 1 Replies
View Related
Apr 21, 2011
How can I enable passphrase along with the password for login via ssh ? In that whenever I login from server A to server B via ssh, it should ask me for a password and then passphrase to allow me access.
OR
Can we have multiple passwords to login via ssh ?My basic need is to have 2 levels of password.
View 6 Replies
View Related
Apr 19, 2011
When I set up an ID in Ubuntu, I encrypted it. I did a print screen of the passphrase and put it on the desktop. I'm just learning how to use the encryption so don't fault me for putting it right on the desktop. There is no important data in this ID. Now, I went and changed my password to the account. On the next boot, I got a few error message:
Could not update ICEauthority file /home/mickymouse/.ICEauthority
There is a problem with the configuration server /usr/lib/libconf2-4/gconf-sanity-check-2 exited with status 256 In researching these, it looks like the problem is that I changed the password but didn't update (or something) my passphrase.
I can't boot into the GUI but I have figured out how to boot to a command prompt. I don't have access to my home directory because I don't have my passphrase. Am I toast or is there a way to recover / update the passphrase?
View 3 Replies
View Related
Jun 7, 2011
I am not very security minded...I'm aware of it, and always made sure I had up-to-date overall protection in Windows but firewalls, and the blasted passwords are largely a thorn in my side!When I got my iPhone last year I suddenly discovered password managers & "wallets" to keep all that kind of information in and syncable across different devices. My life got so much easier. Of course now I need to figure out encryption keys, and how they work (I'm clueless). I also need to find a program or system that I can move my existing low-tech info (mailnly user name & passwords) that will also accomodate the increased needs of Ubuntu security and still be sync-able. I started a little research weeks ago, but my current "wallet" only exports .csv so I quit since I'm going to have to do a lot of data entry whatever I go with.So here goes:
1) what is the difference (bare bones) between using an encryption key (e.k.) vs. a standard user created password? what situations are better suited for e.k.?
2) I have seahorse (default intall with Ubuntu I guess) but the only thing in it is Login under passwords which leads to a login keyring (?) and a drop-down list of about 6-10 of the gazillon passwords I use daily. The other tabs are for keys which I don't have any concept of.
3) I know FF also "remembers" user id & passwords as you choose to have it do so. Is that information transferable into seahorse or another program?
4)I'm also (today) getting ready to really set up my system for user names & security across my little home network. How can I integrate that into whichever program/app I go with to store my pwds and keys?
5)give me links to fairly current documentation on this stuff?
6) Any program/app recommendations.Pros/cons uses, what they can & can't do or be used for, etc.
View 9 Replies
View Related
Feb 8, 2011
I have an encrypted disk, using LUKS / dm-crypt, on Fedora 14.Every time I boot, I am immediately prompted for the passphrase. This happens VERY early in the boot process, and is a graphical screen (ie not console text). If I hit escape, I am prompted in a text-mode for the same passphrase. If I hit escape or return a few times, boot continues normally.
I only mount the disk occasionally, and don't want to be prompted at boot for the passphrase to luksOpen the disk at boot. I manually cryptsetup luksOpen and then mount it when I want access. I just don't want to be asked at boot, and don't want to unlock it until I do so manually.Does anyone how how I can tell Fedora to not attempt to decrypt / mount this filesystem at boot?It's not in /etc/fstab. I should mention, no LVM, just mdadm raid5 on the partition + luks /dm-crypt.
View 5 Replies
View Related
Apr 4, 2011
How to change the passphrase for crypted partitions in F14?
View 1 Replies
View Related
Sep 20, 2010
Hello everI'm really confused by the ways an encrypted partition get mounted.It just mounts the partition without asking for the passphrase used to create it. I can list the files in /mnt/sda2, create a new file test.txt, but have no access to the files written to the "real encrypted partition".Then I can see/change the content of the encrypted partition but without being able to see/change the file test.txt created previously with the normal mount command.
The reason I'm asking is that I'm having my custom Debian to automount every partition available on the system at boot time. Is there any way/command to tell if a particular partition is encrypted (by cryptsetup) or not? So that I can mount it the right way and not make the users confused (or even harm the encrypted data).
View 6 Replies
View Related
Jun 8, 2010
I was wondering whether increasing the strength of a key by increasing the number of bits in the key to 2048 makes any sense if I want to leave the passphrase blank anyway? I'm setting up passwordless ssh logins on my LAN as I'm a bit tired of constantly being asked for a password.
View 7 Replies
View Related
Nov 21, 2010
I just installed the testing version of Debian with the option to setup encrypted home directories. I used a passphrase that I now want to change to something else. How do I do that?
View 4 Replies
View Related
Dec 23, 2010
I am building an active directory and using BIND9 as my DNS. To allow for secure dynamic updates from the domain, I am enabling GSS-TSIG as detailed here and here. Unfortunately, some of the commands and configurations used here seem to be depreciated, at least in the newer versions that I'm using. My issue is one of keytab encryption. I generated a keytab using ktpass.exe on the Windows Server 2008 domain controller. I have tried DES/MD5, AES128/SHA1 and AES256/SHA1, each have been turned down by ktutil on the kerberos server (FreeBSD). Each time, it outputs the following error: ktutil: AES256/SHA1*: encryption type AES256/SHA1* not supported *Respective to encryption used.
I cannot find a list of suitable encryption schemes that ktutil will accept. The FreeBSD handbook details a means of producing a keytab file, but I'm not sure how to configure the Domain Controller to use the keytab.
View 1 Replies
View Related
Feb 20, 2011
I am looking for some software (not Tryecrypt) where I can just right click a file and it will encrypt it for me. It would be nice to unencrypt on Windows but not essential.
View 3 Replies
View Related
Jan 8, 2010
When 10.04 is released I'll encrypt my /home partition using luks. I've read that xts is good for hard drive encryption and aes is good for cipher encryption. I'm looking for something that is fairly secure without sacrificing a lot of speed.
View 2 Replies
View Related
Aug 3, 2010
I want to create an encrypted directory using the cfs package. So far I've only been able to create the top directory. When I want to attach an encrypted directory using
Code:
cattach directory1 directory2
get the following message in command line:
Code:
RPC: unable to receive
When i look into my /crypt directory, nothing was added there. I have no idea what could be the problem. I use Ubuntu 10.04 LTS.
View 1 Replies
View Related
Aug 3, 2010
I am currently running 8.10 with full-disk (excluding /boot) encryption. I am going to be installing 10.04 on a new laptop, and I was wondering whether it supports multi-factor authentication. Specifically, I would like to have a keyfile on USB/SD memory that is required, in addition to the password, to decrypt the disk. Anyone know of a guide out there? So far my searches have turned up nil.
View 9 Replies
View Related
Oct 17, 2010
I've been using GPG keys for about a year now to send encrypted emails to family. But now I want to try and understand more, mainly on signing keys. I've read a ton of stuff, but not fully grasping the concept. So I thought I'd check my understanding people here. Please let me know if I'm wrong on something.
Signing keys seems to be just signing someone else's public key with my private(public??) key. Does that mean I don't sign my own keys? Or should I? There seem to be lots of keyservers out there, mainly I keep hearing about the MIT one and the ubuntu keyserver. Does it matter where I upload my public key? Somewhere I read that once you upload it once, it will slowly make its way to other servers. How is that possible. If someone signs my key on one server, will that also get pushed to other servers?
View 6 Replies
View Related
Mar 7, 2011
I've read that blowfish encryption is much faster and still safe enough to transfer files between hosts.What's the default encryption used by openSSH? (if not already blowfish)
View 2 Replies
View Related
Apr 20, 2011
Is there any available Ubuntu encryption stronger than a 4096-bit DSA PGP key that is natively supported or can be supported by Evolution?
View 2 Replies
View Related
Jul 17, 2011
I don't care for domain 'authentication' by an "Authority". I don't trust no one, so CA's to me are as trustworthy as the gypsy in the park.
I can use a self-signed certificate, but the problem is most browsers makers are Fn idiots that say the connection is not secure, when it actually it, but because I did not folk out cash, it makes my website look bad.
I can understand the need for a 3rd party to verify the domain host to prevent man in the middle attacks, but I do not care for this.. and browser makers should take more responsibility and introduce different padlocks for types of authentication, rather than saying "this connection is encrypted, but not secure because its self-signed". What a load of horse s***!
How many times does people stop to read certificate authorities? I sure don't. I only care weather or not the connection has been encrypted.. so, I am looking for a way for simply providing encryption for my website.
From what I understand, when you submit a CSR to a CA, it includes the private key, meaning that the CA would be able to see the encrypt data, should they get hold of it. This is not acceptable for me.
Is there anything other way to use encryption other than the SSL model that is used typically amongst HTTPS browsers today?
View 3 Replies
View Related
Jul 18, 2011
I have a problem using PGP encryption. I am running Windows 7 operating system. I have PGP working perfectly fine when running manually through DOS mode (cmd.exe): gpg -ase --always-trust --batch --passphrase myphrase --output c: estdir estfile.csv.pgp -r someword c:estdir estfile.csv
Now the problem happens when I am trying to run same script in Perl in the browser (Perl + IIS are installed locally on my PC). The error I am getting is: gpg: no default secret key: No secret key gpg: C:\testdir\testfile.csv: sign+encrypt failed: No secret key
From what I understand, the secret key is created under my user profile. IIS runs under some default user name, so it does not see the secret key. I am not sure how to solve this problem.
View 1 Replies
View Related
Jun 14, 2010
i have found this xor encryption program
Code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define MAX_SIZE 256
[code]....
Its working fine, it can encrypt and decrypt. but how strong is it ? is it all depending on the specified key ?
View 5 Replies
View Related
May 3, 2010
When I installed, I selected the option to encrypt my home folder. I believe this is causing constant crashes now, since error message is user id/password related. Is there a way to remove the encryption?
View 5 Replies
View Related
Jun 7, 2010
I would like a seamless way of having personal files encrypted (at this point I am only worried about the home directory) and synchronize these files between different computers and with an external hd.
So far my partial solution is:
1) Default Ubuntu eCryptfs solution;
2) Unison to synchronize between the upper layers of both computers via ssh (operating on the /home/$USER mounted by ecryptfs) and also between one computer and the external HD;
3) Don't know about the external hd.
Reasons:
- I don't want any pain about data loss or data leak if my hardware gets stolen;
- Data in /tmp, /var and swap are not that important for me right now;
- It is very important to synchronize fast, incrementally and properly: propagating deletions rather than reverting and detecting change-change/change-delete conflicts before miss-propagating changes, which as far as I know only Unison is good at;
- Even if I could set the same passphrase on both computers (I guess I can, but Ubuntu does not offer me to choose the ecryptfs passphrase) I want to see the true filenames that are being synchronized;
- If possible I would like to simplify the whole scheme so that each computer is doing its own job seamlessly, and operating on the upper decrypted layer looks simple and robust;
- I would like a more general and easy-to-use scheme for the external device, so other folks use it too;
- If possible I would like ext4 backups, so it remembers file permissions etc... however it would be nice to be able to open it from Windows.
Are (1) and (2) above really good solutions or am I missing something? What are the best solutions for (3)? So far I have seen cryptsetup/palimpset and truecrypt. The more native and floss the better, but being crossplatform is nice. What are the pros and cons, and what's their relation to FreeOTFE and other Windows tools?
View 4 Replies
View Related
Jul 31, 2010
Is there any way to remove the whole disk encryption without reinstalling? I'm running Ubuntu 10.04.
View 2 Replies
View Related
