Find the answer to your Linux question:
Results 1 to 6 of 6
G'day all, I'm looking for a partition encryption package and I imagine a compatible bootloader to do the following: 1. Encrypt root partition (boot partition can remain unencrypted if it ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2010
    Location
    Sydney, Australia
    Posts
    68

    Suitable partition encryption application


    G'day all,

    I'm looking for a partition encryption package and I imagine a compatible bootloader to do the following:

    1. Encrypt root partition (boot partition can remain unencrypted if it doesn't contain unencrypted "decryption" information)

    2. Encryption/Decryption method should utilize something specific about the hardware it is used on to form its key. This would mean that partitions cannot be unencrypted if the hard drive is moved to different hardware.

    3. There should be no requirement for a password/passphrase to be entered during bootup, so if the server is restarted, no one should need to go to the server's console to enter a passkey.

    I've read a few tutorials regarding encryption of the rootfs, they refer to a passkey for encryption...my concern with this is the drives can still be removed from the current hardware and installed into other hardware and still boot...or am I wrong about this?

    I'm hoping that I can use something specific about the hardware (eg BIOS serial number) so the hard drives can't be removed and installed in another server.

    I understand there could be a performance hit with this, that is acceptable as all common tasks are cached so this shouldn't be too much of a burden.

    I look forward to your suggestions.

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by r31griffo View Post
    G'day all,

    I'm looking for a partition encryption package and I imagine a compatible bootloader to do the following:

    1. Encrypt root partition (boot partition can remain unencrypted if it doesn't contain unencrypted "decryption" information)

    2. Encryption/Decryption method should utilize something specific about the hardware it is used on to form its key. This would mean that partitions cannot be unencrypted if the hard drive is moved to different hardware.

    3. There should be no requirement for a password/passphrase to be entered during bootup, so if the server is restarted, no one should need to go to the server's console to enter a passkey.

    I've read a few tutorials regarding encryption of the rootfs, they refer to a passkey for encryption...my concern with this is the drives can still be removed from the current hardware and installed into other hardware and still boot...or am I wrong about this?

    I'm hoping that I can use something specific about the hardware (eg BIOS serial number) so the hard drives can't be removed and installed in another server.

    I understand there could be a performance hit with this, that is acceptable as all common tasks are cached so this shouldn't be too much of a burden.

    I look forward to your suggestions.
    You could try using LUKS/cryptsetup, all major distros support it in their installation wizards. You can encrypt your root fs with it, no prob. Yes, there is a passkey associated with the encrypted volume, but this passkey protects the data no matter where the disks are placed (unless someone has access to a Tardis and a quantum computer).

    If you want non-interactive boot with an encrypted root filesystem, that is tricky. I'll bet you could do it with a customized initrd (initial ramdisk) using a LUKS keyfile, though.

    If you truly desire hardware-based encryption, you can purchase a hard disk that has encryption built in. The HDD vendors use different nomenclature to refer to it, but basically it is Full Disk Encryption or something like that. Costs a little extra, but is worth the piece of mind to many.
    Last edited by atreyu; 08-21-2012 at 04:19 AM. Reason: format

  3. #3
    Just Joined!
    Join Date
    Jan 2010
    Location
    Sydney, Australia
    Posts
    68
    As always Atreyu, you are a wealth of knowledge. You've answered a few of my queries on this forum, I hope to be able to repay the favour one day. I think I remember your responses mainly due to your handle...I'm curious, would I be correct in saying it was inspired from a character or a band?

    I had Googled this for a while before submitting the question, I'm afraid all of the functionality I'm looking for might not exist in any well known Linux packages.

    LUKS did come up on nearly all of my searches, would you know of any way that the LUKS keyfile could be substituded for some sort of hardware variable...like vendor/hardware IDs or serial numbers?

    A customized initrd is intriguing but it sounds like it might be beyond my technical ability...atleast for now. For curiousity sake, is there a particular tutorial or informational guide you find really helpful for this (Debian based)? I might do a quick Google and see what I find.

    A non-interactive boot would have to be implemented, the reason for this is if I need to perform a restart remotely or in case of power being restored to the server, it will need to be able to come up by itself.

    I might be over thinking this project however, your idea for built-in encryption on the HDD might actually be the way to go if I can't find a package that fills all my requirements. The extra cost in this case is well worth it.

    Each vendor probably implements this in a different way but if there is a way to lock the encryption to the hardware using this would be my problem solved.
    Last edited by r31griffo; 08-21-2012 at 08:25 AM. Reason: spelling

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by r31griffo View Post
    I think I remember your responses mainly due to your handle...I'm curious, would I be correct in saying it was inspired from a character or a band?
    The character, definitely the character. That band is not my cup of tea. If I want rock from the dark side, I lean more towards Maynard and company.

    LUKS did come up on nearly all of my searches, would you know of any way that the LUKS keyfile could be substituded for some sort of hardware variable...like vendor/hardware IDs or serial numbers?
    you could get the serial number from the BIOS (if your hardware has one) using dmidecode. Then have the keyfile filename be based upon that serial number. I did very nearly the same thing once, only using a live CD.

    A customized initrd is intriguing but it sounds like it might be beyond my technical ability...atleast for now. For curiousity sake, is there a particular tutorial or informational guide you find really helpful for this (Debian based)? I might do a quick Google and see what I find.

    A non-interactive boot would have to be implemented, the reason for this is if I need to perform a restart remotely or in case of power being restored to the server, it will need to be able to come up by itself.
    Check out this Debian-specific tutorial. It might point you in the right direction:

    Passwordless Encrypted Root in Debian

    I might be over thinking this project however, your idea for built-in encryption on the HDD might actually be the way to go if I can't find a package that fills all my requirements. The extra cost in this case is well worth it.

    Each vendor probably implements this in a different way but if there is a way to lock the encryption to the hardware using this would be my problem solved.
    You'd still have to worry about where to put the keyfiles, assuming that the on-disk encryption supports that.

  5. #5
    Just Joined!
    Join Date
    Jan 2010
    Location
    Sydney, Australia
    Posts
    68
    I was always keen on Tool. Infact I saw Tool live in Sydney (Australia) when they came here after the Lateralus album release, it must be getting close to 10 years ago now. I had the chance to meet Maynard during a signing of APC's first album, I don't know if it was epic jet lag or he was celerbrating with some local gear but whatever the cause, he was not a very pleasant person to speak to.

    I saw a Youtube clip a few weeks ago about Maynard now running a winery (called Caduceus Cellars).

    File name, that's exactly how this will have to be tied in...I'll have to do some reading to understand LUKS fully. Tied in with the custom initrd you suggested I think this is the solution.

    I will do some reading tomorrow, I'd like to understand the 2 concepts fully before I begin when I think I've got a plan of attack, I'll setup a VM and do some testing.

    Thanks with your help on this, it is very appreciated.

  6. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by r31griffo View Post
    I was always keen on Tool. Infact I saw Tool live in Sydney (Australia) when they came here after the Lateralus album release, it must be getting close to 10 years ago now. I had the chance to meet Maynard during a signing of APC's first album, I don't know if it was epic jet lag or he was celerbrating with some local gear but whatever the cause, he was not a very pleasant person to speak to.
    LOL!

    File name, that's exactly how this will have to be tied in...I'll have to do some reading to understand LUKS fully. Tied in with the custom initrd you suggested I think this is the solution.

    I will do some reading tomorrow, I'd like to understand the 2 concepts fully before I begin when I think I've got a plan of attack, I'll setup a VM and do some testing.
    Good luck, and great idea w/the VM.

    Thanks with your help on this, it is very appreciated.
    You're welcome, and be sure to post your solutions back here - others will surely be interested.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •