Re: Extreme Security Suggestions?
Timothy Hospedales: Which leaves the option of having a dedicated physical drive and unplugging it when I leave. But that is annoying since I would have to leave my machine open all the time. You can get `drawers' for hard disks that let you slide the HDD in and out a slot on the front of the machine. HTH Jiri -- [EMAIL PROTECTED] We'll know the future has arrived when every mailer transparently quotes lines that begin with From , but no-one remembers why.
Re: Extreme Security Suggestions?
Timothy Hospedales: I am wondering what is the recommended way to secure a sizeable volume (0.5-2GB) of confidential data such that it is non-retreivable/unusable even in the event that a hacker has gained user level or shudder root access? Removable harddisk? Hardware encryption? If a hacker can repeatedly gain root access, theoretically there's not much you can do, because he can subvert the mount program (or whatever asks for the passwords) and md5 (or whatever is used to check integrity). If you are worried about the disk being stolen, encrypted FS should do the trick (unless the password can be obtained some other way). Probably the best way to secure it would be to have the confidential data on a machine that is well secured and not on the network. Jiri -- [EMAIL PROTECTED] We'll know the future has arrived when every mailer transparently quotes lines that begin with From , but no-one remembers why.
Re: Extreme Security Suggestions?
Hi, I am wondering what is the recommended way to secure a sizeable volume (0.5-2GB ) of confidential data such that it is non-retreivable/unusable even in the event that a hacker has gained user level or shudder root access? I have thought of some kind of encryption; but I haven't seen anything fast enough to make that practical given that I would have to re-encrypt the whole data set after working on it. I also thought of simply having a dedicated partition for the data in question and unmounting it when I leave the machine. But I suppose a hacker with root access could easily remount it. Which leaves the option of having a dedicated physical drive and unplugging it when I leave. But that is annoying since I would have to leave my machine open all the time. :(. So any other suggestions, comments? The best option that I know about is the Cryptographic File System. When mounted you can't tell the difference between it and any other type of file system; but if you haven't got it mounted - the data is encrypted (equivilent to PGP I think in quality) You used to be able to get it from the Non-US archive. I don't know if you still can though. Jolyon
RE: Extreme Security Suggestions?
Hi, Probably isn't a goot idea (I really believe that there is a better software solution), but have you considered some removable storing device, like jazz drive from iomega? I only saying this since you have considered having a dedicated hard drive. Paulo. Timothy Hospedales writes: Hi, I am wondering what is the recommended way to secure a sizeable volume (0.5-2GB ) of confidential data such that it is non-retreivable/unusable even in the event that a hacker has gained user level or shudder root access? I have thought of some kind of encryption; but I haven't seen anything fast enough to make that practical given that I would have to re-encrypt the whole data set after working on it. I also thought of simply having a dedicated partition for the data in question and unmounting it when I leave the machine. But I suppose a hacker with root access could easily remount it. Which leaves the option of having a dedicated physical drive and unplugging it when I leave. But that is annoying since I would have to leave my machine open all the time. :(. So any other suggestions, comments? Thanks! Timothy PS: I have no intention of letting a hacker gain access to my machine; but its nice to be prepared for the worst. ;). -- E-Mail: Timothy Hospedales [EMAIL PROTECTED] Date: 05-Feb-99 Time: 00:47:27 This message was sent by XFMail -- -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: Extreme Security Suggestions?
Jolyon Suthers dixit: The best option that I know about is the Cryptographic File System. When mounted you can't tell the difference between it and any other type of file system; but if you haven't got it mounted - the data is encrypted (equivilent to PGP I think in quality) You used to be able to get it from the Non-US archive. I don't know if you still can though. You can get it from http://www.replay.com/redhat, there's also another improved (?) based on CFS: Transparent Cryptographic File System. They both use, I think, Triple DES (or DES?). I don't think there are any binaries for them, let alone .deb -- Un saludo, Horacio [EMAIL PROTECTED] -- Quis custodiet ipsos custodet? --
Re: Extreme Security Suggestions?
Timothy, There are a few encrypted filesystems for Linux. Ones aimed at distributed filesystems (NFS replacements): - CFS, which has been packaged and is available from non-us.debian.org. - TCFS, http://tcfs.dia.unisa.it/ I used CFS several years ago and it seemed to work well. My only complaint was that triple DES was a bit slow on my 486/33. Another approach which I am currently using involves patching the kernel to provide kernel level encrypted filesystems. I have updated a patch for kernel 2.0.36 which was originally released in 1996 for kernel 2.0.11. I have gotten good results with this using IDEA encryption on systems ranging from a 486/33 to PII-350. There are now encryption patches available for the new 2.2.x kernels. ftp://ftp.kerneli.org/pub/linux/kerneli/v2.2/patch-int-2.2.1.1.gz will add encryption to linux 2.2.1. I have not used this patch yet, but I will give it a try as soon as I update to slink and have a 2.2.x compatible system. When unmounted, the ability to scan the raw partition will not give your cracker any useful information. If they are really determined, they could scan raw /tmp and swap partitions for traces of sensitive data. Whether this is an issue depends on your required security level. When mounted, a root cracker would be able to read the all files on the partition. Mounting the partition requires a passphrase. The kernel approach will require patching and building custom versions of the kernel and mount programs. If you want more detail on these, let me know, John On Fri, Feb 05, 1999 at 12:56:56AM -0400, Timothy Hospedales wrote: Hi, I am wondering what is the recommended way to secure a sizeable volume (0.5-2GB ) of confidential data such that it is non-retreivable/unusable even in the event that a hacker has gained user level or shudder root access?