Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 35

Thread: HOWTO: Password protect your GRUB entries

  1. #21
    Join Date
    Dec 2009
    Beans
    184
    Distro
    Ubuntu 13.04 Raring Ringtail

    Plausible deniability; menu.lst

    I've found that if you set bootsplash to an invalidly formatted image, GRUB will produce a blank screen until it boots the OS. That hack, combined with a password, provides plausible deniability similar to what the TrueCrypt Windows-only bootloader features.

    Quote Originally Posted by supertails View Post
    What if I don't have menu.lst?
    Then you have either grub.conf or grub.cfg. The latter's format differs from menu.lst, but it is similar enough to work.

  2. #22
    Join Date
    Jan 2009
    Beans
    3,964
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: HOWTO: Password protect your GRUB entries

    Yeah to change your grub config do:
    Code:
    gksu gedit /boot/grub/grub.cfg

  3. #23
    Join Date
    Sep 2008
    Location
    Albany, NY, USA
    Beans
    53
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Password protect your GRUB entries

    Quote Originally Posted by Crowder View Post
    I don't mean to be "THAT GUY," but I don't think all this crazy encryption & password stuff is really all that necessary. Truth be told, I found this thread only because I saw the password line in Grub while I was adding XP to my boot list and was curious about it.

    So here's the reason I'm posting - I have a question.

    Why not just set a BIOS hardware password? That way, you have to enter a master password before the computer even begins the process of booting. I've heard it can be reversed by some kind of switch on the motherboard, but I really don't think anyone would ever go to the trouble of opening up my computer. I also don't think anyone will ever rip the hard drive out in order to see my data, so I see no point in encrypting it. I mean, this isn't the CIA (or is it?).

    I don't mean to bust your balls, but if somebody knows some huge flaw with the BIOS thing I'd be interested to know.
    Anybody? No?
    Thinkpad T61 (6459-CTO) + mods

  4. #24
    Join Date
    Feb 2009
    Location
    /earth/india/mumbai
    Beans
    592
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: HOWTO: Password protect your GRUB entries

    Thank you for such a useful post..i was really looking for a mechanism to protect the recovery mode option.An md5 hash as password,is definitely very good and strong approach towards securing my system..
    Last edited by satish_j; March 17th, 2010 at 07:38 AM.

  5. #25
    Join Date
    Dec 2009
    Beans
    184
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: HOWTO: Password protect your GRUB entries

    Quote Originally Posted by Crowder View Post
    but if somebody knows some huge flaw with the BIOS thing I'd be interested to know.

    Anybody? No?
    You should determine the necessity of any security measure by the importance of what's being protected and the likelihood of its loss. In case you simply want to keep your kids off the computer, a BIOS password should be enough. Your kids probably aren't sophisticated or determined enough to break that protection; and even if they did, you would incur no great loss.

    I use disk encryption because my computer contains vital passwords and personal data. I know that even in the presence of typical application-level security measures, such as a web browser master password, this data tends to propagate to insecure areas like swap space.

    I know it is relatively unlikely that my computer will be stolen and that the thief will be sophisticated and determined enough to mount my hard drive from outside the operating system it hosts. But the data is so important, because it could damage me so much in the wrong hands, I take the measure of encrypting it. (Anyway, the sophistication required to read my unencrypted hard drive is becoming ever less rare.)

  6. #26
    Join Date
    Sep 2008
    Location
    Albany, NY, USA
    Beans
    53
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Password protect your GRUB entries

    I see your point, but I just have an encrypted file container (via Truecrypt) for that kind of stuff, not the whole drive. Safer, no?
    Thinkpad T61 (6459-CTO) + mods

  7. #27
    Join Date
    Dec 2009
    Beans
    184
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: HOWTO: Password protect your GRUB entries

    Quote Originally Posted by Crowder View Post
    I see your point, but I just have an encrypted file container (via Truecrypt) for that kind of stuff, not the whole drive. Safer, no?
    No, because some applications may write sensitive data to unsecured areas. Or even if the data starts in a protected area, it's prone to propagate to unsecured areas like swap and temp.
    Last edited by noah++; March 16th, 2010 at 06:54 PM.

  8. #28
    Join Date
    May 2007
    Beans
    880
    Distro
    Ubuntu Development Release

    Re: HOWTO: Password protect your GRUB entries

    Quote Originally Posted by noah++ View Post
    No, because some applications may write sensitive data to unsecured areas. Or even if the data starts in a protected area, it's prone to propagate to unsecured areas like swap and temp.
    I'd say this (or using Ubuntu's encrypted home directory system) is somewhat safer, yes. But noah++ is right that it's easy for data to leak outside of your encrypted container and you can then have the illusion of security without the reality (which is probably worse). This is the danger of using any partial system to encrypt your data, and the flip side is that if you have a problem with your system it will be easier to repair it if you haven't encrypted your entire drive.

    If you are really concerned about the security of your data, use full-disk encryption. You may not feel that this is necessary in your case, but I've set it up for a number of people with very real needs for it. A couple examples are a Mexican human rights organization that records testimony of victims and witnesses on laptops in the field and then needs to store that data safely and protect the identities of these people, and a web developer's laptop that he travels with a lot and which contains a great deal of login and banking information for various corporate clients.

    So use whatever level of security you think is necessary for your situation, but don't extrapolate from your situation and assume that the needs of others will be as lax (or as comprehensive) as your own.
    ~~~
    I liked this old blog post by Aysiu: The Linux community's mixed messages

  9. #29
    Join Date
    Nov 2009
    Location
    de9fdc5c1ade9d205ac5e2622
    Beans
    Hidden!
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: HOWTO: Password protect your GRUB entries

    Even more important than overwriting data sections in a TrueCrypt (TC) volume is the fact that TC uses pseudo-random headers at the beginning and end of TC volumes. If this headers are ever damaged-overwriting, corrupted, ad nauseum) the volume can no longer be decrypted PERIOD. Even if you supply the correct passphrase the volume cannot be salvaged without those headers. Even trying to recreate the headers with the correct passphrase will not result in the correct header as it is pseudo-random. It is far better to buy a small extra drive (internal or external) and encrypt the entire drive. Please read the TC manual for a overview of why encrpyting only part of a SSD may not give the security needed.

    AlphaA
    Last edited by alphaamanitin; July 17th, 2010 at 03:25 PM.

  10. #30
    Join Date
    Jan 2009
    Beans
    3,964
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: HOWTO: Password protect your GRUB entries

    Yes, the alternate install with encryption is what I use, and it is perfect for me. All my data can't be touched for about a 11 million years of cracking on the world's most powerful supercomputer. A good option.

Page 3 of 4 FirstFirst 1234 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •