Creating a encrypted directory during the server installation
Michael Casadevall
sonicmctails at gmail.com
Thu Sep 25 03:37:01 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've did some work implementing /dev/random in GNU Hurd (yes, yes, I
know :-P). Static bootups are fairly constant, i.e., poor source of
entropy, so that is a major problem. However, it might be possible to
have the user provide or generate entropy (maybe a friendly message
such as "Ubuntu needs to generate entropy to encrypt your files,
please bang on the keyboard like a monkey"), or the ability to provide
a private key from another source like a USB key or something.
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: http://getfiregpg.org
iEYEARECAAYFAkjbB1wACgkQpblTBJ2i2psm4ACfcjq/0QyAV3PARKIgWmfNpdTy
WKQAni0DPfLwUwW39PVklGZ32wCaS0do
=TGV+
-----END PGP SIGNATURE-----
On Wed, Sep 24, 2008 at 11:28 PM, Kienan Stewart
<kienan.stewart at gmail.com> wrote:
> Hi
>
> I was looking at the wikipedia article on /dev/random and /dev/urandom,
> having previously not used them. The article linked to a paper that analyzed
> the cryptographic procedures of the /dev/random and /dev/urandom in linux.
> The main thing that I took out of paper and the wikipedia article was that
> there was a small concern about the lack of entropy available in /dev/random
> during installs and on livecds. If the key is generated right after a
> reboot, they may not be sufficiently random. I'm not sure, but this could be
> a thing to consider if keys are going to be generated early in the install
> procedure. Would anyone else consider this a concern?
>
> P.S. Sorry if I sent this to someone twice, gmail only replies to the last
> writer and not the list. My apologies.
>>
>> On Tue, Sep 23, 2008 at 3:48 PM, Onno Benschop <onno at itmaze.com.au> wrote:
>>>
>>> On 24/09/08 01:43, Dustin Kirkland wrote:
>>> > That said, let me throw out another perhaps more controversial
>>> > option... What if we didn't ask, and we just provided ~/Private
>>> > encrypted by default? If unspecified, the mount passphrase is
>>> > randomly generated from 128 bits of /dev/urandom. We can do that
>>> > completely entirely and reliably without adding a screen to the
>>> > installer, and provide the system administrator user a secure,
>>> > encrypted location to drop critical data by default on any Ubuntu
>>> > Server
>>> When I saw the previous posts come past I wondered if this wasn't a
>>> better option. Leading by example.
>>>
>>> I'm not familiar with how it's created, but could it be "built-in" as
>>> you suggest and be created when an account is made as part of the
>>> adduser process?
>>>
>>> Could the (initial) pass-phrase be the user's login password?
>>>
>>>
>>> --
>>> Onno Benschop
>>>
>>> Connected via Optus B3 at S31°54'06" - E115°50'39" (Yokine, WA)
>>> --
>>> ()/)/)() ..ASCII for Onno..
>>> |>>? ..EBCDIC for Onno..
>>> --- -. -. --- ..Morse for Onno..
>>>
>>> ITmaze - ABN: 56 178 057 063 - ph: 04 1219 8888 -
>>> onno at itmaze.com.au
>>>
>>>
>>>
>>> --
>>> ubuntu-server mailing list
>>> ubuntu-server at lists.ubuntu.com
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
>>> More info: https://wiki.ubuntu.com/ServerTeam
>>
>
>
> --
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>
More information about the ubuntu-server
mailing list