it should also be possible to include basic network support into the initrd to enable 'entering' a password remote. we can't support all methods allowed by /etc/network/interfaces (ppp/wvdial should be omitted..) but static/dhcp/bootp are possible. there authorization process could beneath reading /dev/console also listen on an udp port. local and remote station must share a secret(key) to allow secure communication. a couple of one time pads for maximum security would be the best.
i don't want to drive through the whole city because someone accidentally unplugged my box :) On Wed, May 30, 2001 at 03:01:17AM +0200, clemens wrote: > > SAWFASP^* > > as laws around the globe are forged to weak personal privacy, > police knocking on one's door, because of portscanning a > previously hacked website, and - i don't have to tell those > of you, which are reading slashdot - as pretty strange things start > to happend worldwide, i'm getting somewhat nervous about > my data safety. > > what i'm aiming at, you might ask? > debian should support a crypted rootfs right out > of the box. > > i'll try to grasp within a few words, what's necessary to realize this: > > - the international kernel must be introduced as regular > debian packages. > - the boot disks needs to be modified (just do a losetup > on some loopdev, and mount that one instead of the realrootdev) > - of course, there must be an initrd to boot from, > which accepts authentication information. > (this ramdisk has to be placed unencrypted on > the rootfs, so the kernel code has to be circumwented or > the plain data has to be manually decrypted in usermode > to be re-encrypted to the original plain data when flushed > to disk.. easy for EBC mode crypto but harder to > achieve for CBC mode - creative suggestions welcome) > - there must be an alternative passphrase, since i nor > any user will be willing to trust one forgetable phrase. > (how many times have you forgotten your mobil phone pin?) > suggestion: the actual key will be random generated, and > encrypted twice by two different passphrases/keys - one > choosen by the user, one random generated - useful to write on > a piece of paper and hide behind the bookshelf. > > (probably i should crosspost to debian-legal. the > whole non-US issue has been left untouched) > > what do YOU think? > shell debian be the first(?) privacy enhanced distro? > > clemens > > ^* SAWFASP = searched archives without finding a similiar > posting
