[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: To make unreadable a functional system.



(Sorry if this comes late, but I had trouble getting through the list's
spam filters.)

Sthu Deus:
> 
> Can I make separate passwords (if one is necessary to boot) - for
> accessing the FS and for just booting?

It appears you don't really understand how filesystem encryption
(usually) works. Let my try to explain.

A "normal" system uses the following layers of abstraction:

A filesystem sits on
a partition which is part of
a hard disk.

When encryption comes into play, it looks like the following:

Filesystem
Encryption layer (like dm-crypt, what the Debian Installer uses)
Partition
Hard disk

(I intentionally left out other abstraction layers like RAID and LVM.)

What follows is that the complete filesystem is unavailable to the
operating system until someone unlocks the encryption layer. The
filesystem itself is completely unaware of the whole process and there's
no way to give users different permissions concerning the encryption
layer. Either the filesystem is readable (and therefore mountable), or
it's not.

(Sidenote: when using LUKS it is possible to give [and revoke] different
passwords to different users which all can be used to unlock access to
the filesystem.)

What should be clear by now as well: you cannot encrypt a filesystem
retroactively, because technically the filesystem isn't encrypted at
all. Encryption is just another layer between the filesystem and the
physical device. If you want your data to be encrypted, you have to
remove the filesystem, add the encryption layer and recreate the
filesystem on top of it.

J.
-- 
If I was a supermodel I would give all my cocaine to the socially
excluded.
[Agree]   [Disagree]
                 <http://www.slowlydownward.com/NODATA/data_enter2.html>

Attachment: signature.asc
Description: Digital signature


Reply to: