Security Basics mailing list archives
Re: Full disk encryption options
From: Rob Thompson <my.security.lists () gmail com>
Date: Mon, 12 Jan 2009 16:45:45 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 aragonx () dcsnow com wrote:
Hello all, I have seen this topic on the list before I think but I want to go over it again if you don't mind. I have two volumes of business data that is sensitive. I have a Fedora 9 Linux server that these disks are in. I would like to have these disks encrypted. This is the easy part.
This isn't exactly what you were asking for. But for future reference, if you use Ubuntu Server Alternate disk, you can setup encrypted volume's on the initial installation. Then, upon every boot/reboot, you will have to enter the password for each volume. The only downside to this, is that you have only one password, so if you have more than one admin on the server you will lose accountability. I would assume that other flavors have this built in, but this is what I am familiar with.
Now for the hard part. I would like to have the volumes mounted automatically at boot. So the security issue comes here. I would like to make it so that if the server is not shut down properly (normal init 0) then on the next boot it requires a pass phrase plus a pass key to access these volumes. So the stored pass phrase can not be access able under any circumstances if the system is not shut down normally.
Guardian Edge should be able to do what you are looking for from a Commercial product. This will also give you your accountability. To work with exactly what you have, you should check into LUKS (which is what I was referring to in the beginning of my reply). http://luks.endorphin.org/ Hope this helps.
Somehow I think I would also need to disable the power button on the machine to prevent someone from starting a shutdown without the root password. Any ideas on this topic? Thank you in advance. --- Will Y.
- -- Rob +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | _ | | ASCII ribbon campaign ( ) | | - against HTML email X | | / \ | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Ignorance is Bliss... iEYEARECAAYFAklr5DUACgkQcfN68iZZIccXHQCfYnNpwB1wYmGLf1M6PChWvnZK 6RUAnRktbDaQ8I/2xE9dODIUFd9S+qtb =K55E -----END PGP SIGNATURE-----
Current thread:
- Re: Full disk encryption options, (continued)
- Re: Full disk encryption options Robin Wood (Jan 12)
- Re: Full disk encryption options aragonx (Jan 12)
- Re: Full disk encryption options Robin Wood (Jan 13)
- Re: Full disk encryption options infolookup (Jan 13)
- Re: Full disk encryption options Alex Craven (Jan 13)
- Re: Full disk encryption options aragonx (Jan 13)
- Re: Full disk encryption options Rob Thompson (Jan 14)
- Re: Full disk encryption options yann . cloatre (Jan 19)
- Re: Full disk encryption options aragonx (Jan 12)
- Re: Full disk encryption options Robin Wood (Jan 12)
- Re: Full disk encryption options Lukasz Szmit (Jan 13)