HOWTO: Password protect your GRUB entries

[noah++]

I've found that if you set bootsplash to an invalidly formatted image, GRUB will produce a blank screen until it boots the OS. That hack, combined with a password, provides plausible deniability similar to what the TrueCrypt Windows-only bootloader features.

What if I don't have menu.lst?

Then you have either grub.conf or grub.cfg. The latter's format differs from menu.lst, but it is similar enough to work.

[ubudog]

Yeah to change your grub config do:

Code:

gksu gedit /boot/grub/grub.cfg

[Crowder]

I don't mean to be "THAT GUY," but I don't think all this crazy encryption & password stuff is really all that necessary. Truth be told, I found this thread only because I saw the password line in Grub while I was adding XP to my boot list and was curious about it.

So here's the reason I'm posting - I have a question.

Why not just set a BIOS hardware password? That way, you have to enter a master password before the computer even begins the process of booting. I've heard it can be reversed by some kind of switch on the motherboard, but I really don't think anyone would ever go to the trouble of opening up my computer. I also don't think anyone will ever rip the hard drive out in order to see my data, so I see no point in encrypting it. I mean, this isn't the CIA (or is it?).

I don't mean to bust your balls, but if somebody knows some huge flaw with the BIOS thing I'd be interested to know.

Anybody? No?

[satish_j]

Thank you for such a useful post..i was really looking for a mechanism to protect the recovery mode option.An md5 hash as password,is definitely very good and strong approach towards securing my system..

[noah++]

but if somebody knows some huge flaw with the BIOS thing I'd be interested to know.

Anybody? No?

You should determine the necessity of any security measure by the importance of what's being protected and the likelihood of its loss. In case you simply want to keep your kids off the computer, a BIOS password should be enough. Your kids probably aren't sophisticated or determined enough to break that protection; and even if they did, you would incur no great loss.

I use disk encryption because my computer contains vital passwords and personal data. I know that even in the presence of typical application-level security measures, such as a web browser master password, this data tends to propagate to insecure areas like swap space.

I know it is relatively unlikely that my computer will be stolen and that the thief will be sophisticated and determined enough to mount my hard drive from outside the operating system it hosts. But the data is so important, because it could damage me so much in the wrong hands, I take the measure of encrypting it. (Anyway, the sophistication required to read my unencrypted hard drive is becoming ever less rare.)

[Crowder]

I see your point, but I just have an encrypted file container (via Truecrypt) for that kind of stuff, not the whole drive. Safer, no?

[noah++]

I see your point, but I just have an encrypted file container (via Truecrypt) for that kind of stuff, not the whole drive. Safer, no?

No, because some applications may write sensitive data to unsecured areas. Or even if the data starts in a protected area, it's prone to propagate to unsecured areas like swap and temp.

[michaelzap]

No, because some applications may write sensitive data to unsecured areas. Or even if the data starts in a protected area, it's prone to propagate to unsecured areas like swap and temp.

I'd say this (or using Ubuntu's encrypted home directory system) is somewhat safer, yes. But noah++ is right that it's easy for data to leak outside of your encrypted container and you can then have the illusion of security without the reality (which is probably worse). This is the danger of using any partial system to encrypt your data, and the flip side is that if you have a problem with your system it will be easier to repair it if you haven't encrypted your entire drive.

If you are really concerned about the security of your data, use full-disk encryption. You may not feel that this is necessary in your case, but I've set it up for a number of people with very real needs for it. A couple examples are a Mexican human rights organization that records testimony of victims and witnesses on laptops in the field and then needs to store that data safely and protect the identities of these people, and a web developer's laptop that he travels with a lot and which contains a great deal of login and banking information for various corporate clients.

So use whatever level of security you think is necessary for your situation, but don't extrapolate from your situation and assume that the needs of others will be as lax (or as comprehensive) as your own.

[alphaamanitin]

Even more important than overwriting data sections in a TrueCrypt (TC) volume is the fact that TC uses pseudo-random headers at the beginning and end of TC volumes. If this headers are ever damaged-overwriting, corrupted, ad nauseum) the volume can no longer be decrypted PERIOD. Even if you supply the correct passphrase the volume cannot be salvaged without those headers. Even trying to recreate the headers with the correct passphrase will not result in the correct header as it is pseudo-random. It is far better to buy a small extra drive (internal or external) and encrypt the entire drive. Please read the TC manual for a overview of why encrpyting only part of a SSD may not give the security needed.

AlphaA

[ubudog]

Yes, the alternate install with encryption is what I use, and it is perfect for me. All my data can't be touched for about a 11 million years of cracking on the world's most powerful supercomputer. A good option.