Re: /boot accessible in plaintext using encrypted LVM



"Markus R." Keßler wrote:

Am Sat, 05 Nov 2011 15:09:04 +0000 schrieb Günther Schwarz:

"Markus R." Keßler wrote:

Is it really impossible at all to set up whole disk encryption in the
way Pointsec does, where there's only one partition with the
en-/decrypter at the beginning?

On any Linux system you will have to boot the kernel at some point. Any
solution that does an encryption of the whole disk will have to decrypt
the kernel and the boot loader first. The most simple way of doing so
is to use a hard disk with encryption on the hardware level.

Seagate sells a solution called "self encrypting drive", which does en-/
decrypting data by itself.

It seems to work fine, but the user has to be asked for the password,
and afterwards it has to be passed to the controller on the HD.

This prerequisits being supported by the BIOS of the box, and the
"hardware compatibility list" showing the manufacturers and their
notebooks which are compatible to these disks on Seagate's webpage is
only a few entries long...

Did you have a look at the Hitachi drives also? These - and probably
Seagate's as well - follow TGC standards for the BIOS interface to the
drive. As far as I understand any BIOS that offers setting a password for
access to the drive should do the trick.

In most cases you will have to purchase a new box for this.

I have to admit that I do not have experience with built-in and self-
encrypting drives. But any notebook with Intel's vPro sticker should
work. On consumer hardware one has to live with OS-based solutions like
LUKS (slow and without protection for the boot loader and kernel) or self-
encrypting external drives like the Thinkpad Secure Drive (also slow
unless it is the expensive model with eSATA connector).

Günther
.



Relevant Pages

  • RE: Upgrading to 6.2-RELEASE from 6.2-STABLE
    ... Manually load my old kernel from the prompt worked. ... I believe the mountroot is during the boot load. ... support for IDE drives. ... unknown option "MD5" ...
    (freebsd-questions)
  • Re: 2.6.30 (Squeeze): no hda1 no sda1
    ... I'm runny Debian Testing (Squeeze) and have been for years. ... old kernel of course) and rebooted. ... Boot your 2.6.26 kernel and try changing your fstab to use the UUID or ... I have noticed changes to older drives in particular. ...
    (Debian-User)
  • RE: Upgrading to 6.2-RELEASE from 6.2-STABLE
    ... Manually load my old kernel from the prompt worked. ... I believe the mountroot is during the boot load. ... unknown option "MD5" ... It lists all available drives mount points and then some, e.g. fd0, da0, ...
    (freebsd-questions)
  • Re: How to recover system,
    ... The kernel doesn't care if you have DDR or EDO ram or which southbridge ... if you have a different CPU as you told him at compile time. ... D/L a Debian netinst CD and boot up the new system with it. ... The new system should now boot with the old drives and a new kernel. ...
    (Debian-User)
  • Re: Bind ubuntu to hard drive.
    ... safe, just a fire proof cabinet with only a handle on its door. ... fireproof safe for the drives if your data is really that ... encryption (since I am a newbie in the Linux world I was about to follow the ... That system seems to require a passphrase to boot. ...
    (Ubuntu)