Re: root fs/crypted
I like this. Would it be difficult to modify Debian, so that
upon install, it creates an encrypted root volume and starts
things off the right way?
From: clemens <firstname.lastname@example.org>
To: email@example.com <firstname.lastname@example.org>
Date: Tuesday, May 29, 2001 6:04 PM
Subject: root fs/crypted
>as laws around the globe are forged to weak personal privacy,
>police knocking on one's door, because of portscanning a
>previously hacked website, and - i don't have to tell those
>of you, which are reading slashdot - as pretty strange things start
>to happend worldwide, i'm getting somewhat nervous about
>my data safety.
>what i'm aiming at, you might ask?
>debian should support a crypted rootfs right out
>of the box.
>i'll try to grasp within a few words, what's necessary to realize this:
>- the international kernel must be introduced as regular
> debian packages.
>- the boot disks needs to be modified (just do a losetup
> on some loopdev, and mount that one instead of the realrootdev)
>- of course, there must be an initrd to boot from,
> which accepts authentication information.
> (this ramdisk has to be placed unencrypted on
> the rootfs, so the kernel code has to be circumwented or
> the plain data has to be manually decrypted in usermode
> to be re-encrypted to the original plain data when flushed
> to disk.. easy for EBC mode crypto but harder to
> achieve for CBC mode - creative suggestions welcome)
>- there must be an alternative passphrase, since i nor
> any user will be willing to trust one forgetable phrase.
> (how many times have you forgotten your mobil phone pin?)
> suggestion: the actual key will be random generated, and
> encrypted twice by two different passphrases/keys - one
> choosen by the user, one random generated - useful to write on
> a piece of paper and hide behind the bookshelf.
>(probably i should crosspost to debian-legal. the
>whole non-US issue has been left untouched)
>what do YOU think?
>shell debian be the first(?) privacy enhanced distro?
>^* SAWFASP = searched archives without finding a similiar
>To UNSUBSCRIBE, email to email@example.com
>with a subject of "unsubscribe". Trouble? Contact