Security question

[JD Runyan]

On Wed, Feb ,  at 04:56:24PM -0600, Brian Densmore wrote:
> Yep,
>  That's pretty much what I was thinking. I did notice the encryption
> howto
> was just updated this month. I don't really have an issue, but was
> thinking 
> about it because of the work I am doing on the distro. I mean all you
> have to do to get to someone's files is boot from another disk and mount
> the partitions. Not something that can be done without physical access,
> and
> possibly a screwdriver or some other tool. Of course we probably won't
> be 
> able to use encrypted filesystems, since M$ now has a patent on
> encrypted
> OSes. I could see using an encrypted fs only on the most sensitive of
> devices, (like military/gov't).
> 
nah even us govies don't use encrypted file systems often.  The military 
maybe.  We use big expensive proprietary systems.  On most UNIX systems 
you have to tell the machine what to boot from while in the OS as root.
If you need to do otherwise you must enter a maintenance mode, and that 
can be secured with a key on a lot of machines.  Many of the newer systems 
use a software switch, and you can add a password to it to achieve this.  The 
closest  you can get to this with commodity Intel hardware is to buy a locking 
device (hardware) for the drives, and change the bios to allow only the boot
device you want.  I would also put a password on the bios.  This gives you a 
2 front defense.  The person can't use the drives physically, and they have
to mess with jumpers to clear the password.  You can buy expensive Intel
hardware that will do the job similarly from IBM, and I'm sure some others.
-- 
JD Runyan
Mid-Range Systems Administrator
USDA NITC Kansas City