[dundee] LVM and disk encryption
garryg
gargul1969 at gmail.com
Sun Sep 26 19:56:37 UTC 2010
Alright there Lee,
i was a bit puzzled by your response re:
> I've done a lot with encryption + lvm and it's a pain in the ass?
it's the question mark you put in that's confusing me. I agree that
getting the hang of lvm was a pain in the ass indeed and it took me
some time, but i reckon i've got the hang of it/a basic grasp of it
for now. As for the encryption side of things, i had a shifty at a few
blogs and how-to pages and for the moment using the alternate install
cd for Ubuntu Karmic seems to be the easiest way for me to encrypt my
entire drive. I started with just encrypting my /home partition, but
that way, if my laptop gets nicked it will still be physically
accessible, whereas, if i'm correct in my understanding, if the hard
drive is encrypted along with the bios being password protected it
should be locked down completely and of no use to anyone - or at the
very least of no use to the average user like myself who wouldn't know
where to start to try to gain access - is that the case or am i
talking a lot of bollocks here?
As for what directories may be visible to possible attackers etc, i'm
afraid that's over my head mate (i'm still struggling big time trying
to understand the various directory and file alerts/warnings visible
to myself that show up in security reports from Tiger, rkhunter and
tripwire, let alone what may be visible to a potential attacker!). I
was under the impression that the main benefit of encrypting your
entire drive was that it would be exactly that: encrypted and
therefore inaccessible without the key - granted, when your not online
that is. When i am online i try to do everything through a virtual
machine though, which i thought/think would cut down on my chances of
being exposed to any attacks and would increase system security in
general. Again though, am i way off course with my understanding of
things here?
As for recovering from a corrupted hard drive, that issue doesn't
worry me so much as any data of import i have is all backed up on
external media and very, very rarely saved to my hard drive, so if
worst came to worst i'd just do a fresh install.
All said and done, i'd be very interested to hear back from you re any
tips, tricks and links re drive encryption and if, overall, it really
does afford you any significant degree of extra security or not. It
seems every time i think i'm getting a handle on something i find it's
covered in grease and the old saying 'a little bit of knowledge is a
dangerous thing' (something along those lines) comes back to haunt me.
Take it easy,
Garry.
>
> Message: 5
> Date: Thu, 23 Sep 2010 22:22:15 +0000 (GMT)
> From: Lee Hughes <toxicnaan at yahoo.co.uk>
> Subject: Re: [dundee] a few questions re LVM, filesystems and VBox
> To: Tayside Linux User Group <dundee at lists.lug.org.uk>
> Message-ID: <881874.78624.qm at web29012.mail.ird.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> I've done a lot with encryption + lvm and it's a pain in the ass?
>
> have you though about using the new feature and just encrypting you home
> directory?
>
> it's just do you really want to encrypt you whole drive, i mean, lots of
> people
> have the contents of you /bin
> dir!!! :-) it may even make cryptographic attacks easier ;-).
>
> the are a few downside, attacks could see your /var, but on tyhe upside,
> you
> can probably recover from a corrupted hard drive
> easier, than with a crypto drive.
>
> pro's and con's...but if you really must do the whole drive, then let me
> know
> and I'll give you a heads up
>
> Cheers,
> Lee
> 3rd year comp sci.
> somewhere in the dataverse
>
>
> p.s. must make my return soon, watch out.
>
>
>
> ________________________________
> From: gordon dunlop <zubenel at fedoraproject.org>
> To: Tayside Linux User Group <dundee at lists.lug.org.uk>
> Sent: Thu, 23 September, 2010 21:13:02
> Subject: Re: [dundee] a few questions re LVM, filesystems and VBox
>
>
>
>
> On 23 September 2010 09:02, garryg <gargul1969 at gmail.com> wrote:
>
> Morning folks,
>>
>>I have a few questions for y'all and hope someone/anyone can help
>>clear things up for me. I'll try to be as brief as poss.
>>
>>1) I've installed Ubuntu 9.10 using the alternate install cd so i
>>could encrypt my hard drive and then partition using the LVM - that's
>>all fine. After install, i can create new logical volumes ok but when
>>mounted i only have ro permissions as group owner is root (still don't
>>quite get that one when the LVs were created using my root pwd -
>>another time for that one). Anyway, once the new LVs are mounted i can
>>(re)format each LV using Ubuntu's Palimpsest Disk Utility and take
>>ownership of the filesystem that way, getting me both read and write
>>permissions. It just seems a pretty round about way of getting there
>>and I'm pretty sure after a scan of lvm2 documentation that doing this
>>would probably be a lot simpler from the command line, but i ain't
>>there yet... So, basically, am i ok using this method to create new
>>LVs or am i storing up future trouble for myself here by mixing lvm
>>and disk utility to achieve my ends?
>>
>>I will handle 1 & 3 together. Best thing for me to do is give you an
>> example
>>overview.
>
> LVM, mount points & fstab:
>
> On installing your distro create your logical volumes with mount points, a
> bit
> like physical partitions with the added facility of having your own naming
> nomenclature for further logical volumes. eg
>
> lvol1 /
> lvol2 /home
> lovl3 /var
> lovl4 /vm
>
> Entries would be automatically written in the /etc/fstab file for mounting
> these
> logical volumes at boot. If a new logical volume was then created with mount
> point /backup then an entry will have to be made in the fstab file for this
> logical volume to be mounted at boot time. If you wanted it mounted after
> fstab
> entry without re-booting do a "mount -a command". If you do not want a
> logical
> volume to mount at boot time just do manual mounting like what you are doing
> now.
>
> Permissions:
>
> After the creation of the logical volumes as defined above, all volumes and
> directories, with the exception of the directory garry in the /home volume,
> will
> be designated as having root permissions which is standard Linux policy and
> and
> maintains the security of the system. Permissions and read/write modes can
> be
> changed using super user status in the command line i.e. sudo for Ubuntu and
> using the chown,chgrp & chmod commands.
>
> So the easiest thing to do is to create a directory e.g. machines (for
> storing
> your virtual images)in lvol4 (/vm) using sudo on the command line and then
> change the user and group to garry with read/write permissions.
>
> I hope this explains things.
>
>
> 2) I wanna do a fresh install to get things ready for starting my OU
>>course next month and wanna make a bunch of LVs for VMs as trying
>>out/working with different distros is part of the course work i
>>believe. However, the newest version of vbox (3.2.8 - not the ose)
>>tells me it doesn't like being used on an ext4 fs. So, should i make
>>them ext2 or ext3 or does it not really matter? Oh, thanks for the nod
>>Gordon re using the most up-to-date version as i can get USB support
>>no prob now which makes a big difference - i may even finally be able
>>to get that damn dongle working through a hawk, spit, windows distro
>>in a VM (i've tried and tried but just can't get it to work with
>>Ubuntu unfortunately - i know it can be done but it's beyond me the
>>now).
>>
>>
> There has been some problems with this new Virtualbox version and host
> ext4
> systems, have a look here:
>
> http://forum.virtualbox.org/viewtopic.php?f=1&p=150220
>
> I have had no problem with guest ext4 systems with this version.
>
> Gordon
>
> 3) mount points: when creating a new partition(s) - LV or otherwise -
>>should i be assigning mount points or is it ok to just mount when
>>required as if they're external media? That's what i've been doing so
>>far (they just get mounted at /media and all seems to work fine for me
>>this way. Again though, i wonder if i'm storing up trouble going about
>>things in this fashion?
>>
>>Ok, i'll leave it at that for now. Any and all input will be very much
>>appreciated indeed. Thanks.
>>
>>Cheers,
>>
>>Garry.
>>
>>_______________________________________________
>>dundee GNU/Linux Users Group mailing list
>>dundee at lists.lug.org.uk http://dundeelug.org.uk
>>https://mailman.lug.org.uk/mailman/listinfo/dundee
>>Chat on IRC, #tlug on irc.lug.org.uk
>>
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://mailman.lug.org.uk/pipermail/dundee/attachments/20100923/88acc9fe/attachment.htm>
>
> ------------------------------
>
> _______________________________________________
> Tayside LUG mailing list
>
> End of dundee Digest, Vol 271, Issue 5
> **************************************
>
More information about the dundee
mailing list