Root! Root! Root!

Lee Braiden lee_b at digitalunleashed.com
Sat Aug 27 09:07:40 UTC 2005


On Saturday 27 August 2005 08:13, devaude wrote:
> Hi,
> the thing with the Grub Password or the BIOS password is not really
> secure...

No, it's not.  A BIOS password is a useful way to keep people from booting a 
CD, as long as you're in the room to make sure they don't disassemble the 
machine.  Apart from that, it's pretty useless.

Personally, I wouldn't bother with a grub password at all.  Again, it might be 
useful in a classroom/work situation, where you want to have easy access to a 
"recovery kernel" or "safe mode", without allowing users to choose that when 
they boot the machine.  But if you were doing that, encrypting the filesystem 
would be very awkward.

> I have a notebook with a crypto filesystem. During the boot you have to
> enter the Passphrase of the Crypto Device. I you enter a wrong passwd
> fsck fails on this system an the checkfs script does a sulogin (without
> passwd). So you see, even if you protected the boot loader, that it can
> only load the default system without passwd, I have only to type a
> wrong passphrase for crypto device and I am root and the fun begins..

I think the point is that the encrypted device will still be secure.  If 
you're worried that people can decrypt your encrypted filesystem with just 
root access, then you might want to look into multiple layers of encryption 
security, like using a passphrase and carrying the encryption keys with you 
on a flash drive.

I did have similar trouble with AES-loop encryption, if I recall correctly. I 
wish it would retry the password a few times before failing, and then print 
an error messagen and halt afterwards or something, rather than continuing as 
if everything went OK :/

-- 
Lee Braiden
http://www.DigitalUnleashed.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050827/1be27750/attachment.sig>


More information about the ubuntu-users mailing list