Bind ubuntu to hard drive.
matthew.flaschen at gatech.edu
Sun Mar 25 11:20:20 UTC 2007
TwinZ Ubuntu Mailing List wrote:
> Step one: by using a completely encrypted file system (root as well).
> Surely, dd would be able to do a bit-by-bit copy, but they'd end up with a
> hard drive with encrypted files in it and could not just read them by
> mounting the drive to another system. Right?
They could not read the data /at all/, without the passphrase (or
whatever decryption means you use)
> Step two: binding the installation to the hard drive serial. Even if one
> made a bit-by-bit copy the new drive would have a different serial and -in
> theory- would not boot. Right? Haven't figured out how to exactly implement
> this one, here are a few thoughts.
This is both impossible, and pointless.
1. The drive won't boot if it's completely encrypted.
2. It doesn't matter whether it boots if all the data is encrypted.
> - I need a similar command like the " label " or " vol " used in dos to
> extract the drive's serial somehow. I could start from there.
You can find the serial by running:
. There may be a simpler way to do this
> - Is there a way (startup script maybe) to have the OS loader check the
> drive's serial and prevent startup in case of a mismatch?
This script couldn't run, because it would be *encrypted* (along with
the rest of the drive) and the attacker wouldn't have the password to
decrypt it. If they *did* have the password, they could just remove the
script then boot the drive.
> (well, unless they find a
> way to get around LUK encryption first somehow).
That is your only issue. If you have concerns, you may want to use
multiple layers of encryption, but the other solution you're proposing
simply won't work.
More information about the ubuntu-users