Am Mo, den 20.09.2004 schrieb Dalibor Malek um 0:39:
Is it possible to somehow encrypt the whole hard disk in a manner that the whole system, copying(from my scripts) and so on have full access, but if someone wants to connect to the machine this is not granted except he knows the right password(I know this is already done with ssh1), but also if some one opens a terminal he muss give in the password to access all files.
I do not understand this part of your posting. Besides ssh1 is obsolete and you should always use ssh protocol 2, Linux always requires authentication for a login process. Someone who is able to open up a terminal has already authenticated. Or what case do you mean?
The same should be if someone wants to copy the hard disk, only if he knows the password he can succeed else the only thing he gets is garbage. Is there something like that?
The kernel 2.6 meanwhile has encryption modules by default, so does the Fedora Core 2 kernel. Recently on the developer list was a discussion about how to use this with device-mapper to have a totally encrypted system.
I have a couple of partitioned encrypted with device mapper and the 2.6 kernel encrypting file system. I may be wrong but i do not think it can encrypt an entire hard disk but only the individual partitions in the hard disk. The partition information is still not encrypted. It appears to be to me (as a mere user) simply an enryption layer underneath a normal file system.
As such I do not think it encrypts the swap partition (which is a potential security flaw) and I don't know how to get it to encrypt the boot partition (as the boot image needs to be readable to load then it needs to be able to decrypt the other file systems).
In my situation I am not overly concerned about these deficiencies. In fact I do not want to encrypt the OS incase I need to boot from the repair disk and fix the OS. Howevert if there are any pointers how to overcome the deficiencies I would be interested in reading them.
As far as I can tell you need to be superuser to run dm-crypt and mount the resulting filesystems. This means once this is done the data on those filesystems is available for all users with sufficient permissions. This is not what the OP wanted as far as I can interpret. They want it to only be available for one user and hidden from all other users.
Dalibor Malek
Alexander
