Comments on: Full system encryption for Linux http://xercestech.com/full-system-encryption-for-linux.geek Stuff geeks care about Fri, 03 Sep 2010 04:10:23 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Miguel Landaeta http://xercestech.com/full-system-encryption-for-linux.geek/comment-page-1#comment-1164 Miguel Landaeta Wed, 29 Jul 2009 03:09:45 +0000 http://tech.xerces.com/?p=711#comment-1164 Thanks anyway... Emailing to the author of the luks patch I found the address of the repository. If someone is interested in implementing this, they can find the code at http://michael.gorven.za.net/bzr/grub/luks. Thanks anyway… Emailing to the author of the luks patch I found the address of the repository. If someone is interested in implementing this, they can find the code at http://michael.gorven.za.net/bzr/grub/luks.

]]> By: Miguel Landaeta http://xercestech.com/full-system-encryption-for-linux.geek/comment-page-1#comment-1163 Miguel Landaeta Mon, 27 Jul 2009 18:59:23 +0000 http://tech.xerces.com/?p=711#comment-1163 Hi, thanks for the great article. Just a question: where are located the patches (or repository) that enable luks support for grub? Hi, thanks for the great article. Just a question: where are located the patches (or repository) that enable luks support for grub?

]]> By: Luis http://xercestech.com/full-system-encryption-for-linux.geek/comment-page-1#comment-1161 Luis Thu, 25 Jun 2009 13:47:22 +0000 http://tech.xerces.com/?p=711#comment-1161 "If you hit the default item, it should boot the kernel and initrd, load the pretty Ubuntu boot screen and eventually ask you for your password again. This is necessary because we are dealing with 2 distinct systems, GRUB2 merely needs to know the password to load the kernel and initrd into memory and read the grub.cfg file, it does not actually mount any filesystems such as root, that is done by the kernel. It would probably be possible for GRUB2 to pass our encryption password to the kernel so that the 2nd password prompt is not necessary, but it is only a minor inconvenience for the moment." For the moment you can put the key on a script in initramfs so that it can mount the filesystems without any user interaction. This is not unsafe since boot will be on the encrypted filesystem. You would have to make sure that initramfs is readable only by root if you are to have any other user on your system. It would be safer then passing it for example from the command line, as any user can cat /proc/cmdline. “If you hit the default item, it should boot the kernel and initrd, load the pretty Ubuntu boot screen and eventually ask you for your password again. This is necessary because we are dealing with 2 distinct systems, GRUB2 merely needs to know the password to load the kernel and initrd into memory and read the grub.cfg file, it does not actually mount any filesystems such as root, that is done by the kernel. It would probably be possible for GRUB2 to pass our encryption password to the kernel so that the 2nd password prompt is not necessary, but it is only a minor inconvenience for the moment.”

For the moment you can put the key on a script in initramfs so that it can mount the filesystems without any user interaction.

This is not unsafe since boot will be on the encrypted filesystem.

You would have to make sure that initramfs is readable only by root if you are to have any other user on your system.

It would be safer then passing it for example from the command line, as any user can cat /proc/cmdline.

]]>