[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: root fs/crypted

it should also be possible to include basic network support
into the initrd to enable 'entering' a password remote.
we can't support all methods allowed by /etc/network/interfaces
(ppp/wvdial should be omitted..) but static/dhcp/bootp are 
there authorization process could beneath reading /dev/console
also listen on an udp port.
local and remote station must share a secret(key) to allow secure 
communication. a couple of one time pads for maximum security
would be the best.

i don't want to drive through the whole city because someone
accidentally unplugged my box :)

On Wed, May 30, 2001 at 03:01:17AM +0200, clemens wrote:
> as laws around the globe are forged to weak personal privacy, 
> police knocking on one's door, because of portscanning a
> previously hacked website, and - i don't have to tell those
> of you, which are reading slashdot - as pretty strange things start
> to happend worldwide, i'm getting somewhat nervous about
> my data safety.
> what i'm aiming at, you might ask? 
> debian should support a crypted rootfs right out
> of the box.
> i'll try to grasp within a few words, what's necessary to realize this:
> - the international kernel must be introduced as regular 
>   debian packages. 
> - the boot disks needs to be modified (just do a losetup
>   on some loopdev, and mount that one instead of the realrootdev)
> - of course, there must be an initrd to boot from, 
>   which accepts authentication information.
>   (this ramdisk has to be placed unencrypted on 
>    the rootfs, so the kernel code has to be circumwented or
>    the plain data has to be manually decrypted in usermode
>    to be re-encrypted to the original plain data when flushed 
>    to disk.. easy for EBC mode crypto but harder to
>    achieve for CBC mode - creative suggestions welcome)
> - there must be an alternative passphrase, since i nor
>   any user will be willing to trust one forgetable phrase.
>   (how many times have you forgotten your mobil phone pin?)
>   suggestion: the actual key will be random generated, and 
>   encrypted twice by two different passphrases/keys - one 
>   choosen by the user, one random generated - useful to write on 
>   a piece of paper and hide behind the bookshelf.
> (probably i should crosspost to debian-legal. the 
> whole non-US issue has been left untouched)
> what do YOU think?
> shell debian be the first(?) privacy enhanced distro?
> clemens
> ^* SAWFASP = searched archives without finding a similiar 
> posting

Reply to: