This is a discussion on CFS, USB fob, and auto-encrypting... - Help ; On my way home from work today I was trying to figure out a secure and yet handy way of encrypting my laptop's filesystems so that in the event that it is stolen, I know that the perpetrator will never ...
On my way home from work today I was trying to figure out a secure and
yet handy way of encrypting my laptop's filesystems so that in the event
that it is stolen, I know that the perpetrator will never see my files.
Here's what I came up with followed up with some questions that I hope
to get answers for. I would like to use a USB fob ("thumb" drive) to
store the cryptographic keys used by an encrypted filesystem drivers.
The plan would be to only encrypt my /home partition and my /usr/local
partition using either CFS or TCFS. I would like for my user account to
not be useable unless the USB fob is inserted. I want to have to insert
the FOB, login with my username and password, and have my encrypted
filesystems mounted at login. I would also like to set it up so that
all I have to do is yank the fob out and my encrypted partitions would
be unmounted (re-encrypted) and my account logged off.
I'm quite familiar with linux (7 years of experience) but since this is
my first laptop, I've never really dealt with hardening a system against
mallicous users with physical access to the system. I'm not too
familiar with CFS, is it possible to store the CFS keys in another
filesystem like a USB fob? How would I have to modify the login system
so that it would run a script to unlock and mount the encrypted
filesystem so that the log in procedure can procede (running .profile
One way I was thinking about doing this was to have my /home/me be the
mount point for my home directory partition. I would put the files
necessary to grab the keys from the fob then unlock and mount my
encrypted file system in the /home/me directory. That way I could log
in, my shell would execute the .profile in /home/me which would check
for the fob, get the keys and then mount the encrypted partition at
when the .profile was done, the encrypted filesystem would be decrypted
and in place at /home/me. I would also have a script that gets run when
the fob is disconnected that would do the reverse, unmount the encrypted
partition and then log me out.
Ideas, suggestions? Thanks.