root fs/crypted
SAWFASP^*
as laws around the globe are forged to weak personal privacy,
police knocking on one's door, because of portscanning a
previously hacked website, and - i don't have to tell those
of you, which are reading slashdot - as pretty strange things start
to happend worldwide, i'm getting somewhat nervous about
my data safety.
what i'm aiming at, you might ask?
debian should support a crypted rootfs right out
of the box.
i'll try to grasp within a few words, what's necessary to realize this:
- the international kernel must be introduced as regular
debian packages.
- the boot disks needs to be modified (just do a losetup
on some loopdev, and mount that one instead of the realrootdev)
- of course, there must be an initrd to boot from,
which accepts authentication information.
(this ramdisk has to be placed unencrypted on
the rootfs, so the kernel code has to be circumwented or
the plain data has to be manually decrypted in usermode
to be re-encrypted to the original plain data when flushed
to disk.. easy for EBC mode crypto but harder to
achieve for CBC mode - creative suggestions welcome)
- there must be an alternative passphrase, since i nor
any user will be willing to trust one forgetable phrase.
(how many times have you forgotten your mobil phone pin?)
suggestion: the actual key will be random generated, and
encrypted twice by two different passphrases/keys - one
choosen by the user, one random generated - useful to write on
a piece of paper and hide behind the bookshelf.
(probably i should crosspost to debian-legal. the
whole non-US issue has been left untouched)
what do YOU think?
shell debian be the first(?) privacy enhanced distro?
clemens
^* SAWFASP = searched archives without finding a similiar
posting
Reply to: