[ltp] Hard disk password & linux
Vijay Garla
linux-thinkpad@linux-thinkpad.org
Mon, 16 May 2005 22:25:35 +0200
Hello David,
In 50 years, I hope to be alive - by then i'll just be a little outside
of the average life span, and I do exercise, eat well, and so forth, so
I'm pretty optimistic. But, 50 years is long enough for all my
bank/brokerage account numbers (and passwords) to change, and for that
matter, for the statue of limitations to expire for most crimes ... the
problem with any software based encryption as you point out, is that
keys land in swap, and if the machine crashes, or is suspendend to disk,
keys land in swap as well.
At any rate, I did a little research into this, and it seems to me as if
using the ATA HDD Password is even better than using software-based
encryption. Although data on the hard drive is not encrypted, it
requires an immense amount of effort to get at it without the password.
>From a thread on slashdot:
<quote>
Resetting the password is not trivial at all. There are two options, use
a logic analyzer and try to intercept the pieces of the password on it's
way in to generate the checksum (haven't heard of anyone being able to
accomplish this), or take the drive apart in a clean room, erase the
password of the platters and attach a virgin controller. There are no
companies in the US that will do either of these for you, and I don't
think that's a coincidence. The very few (3-4) companies that perform
this service make very good money of it. If you don't believe me, set
your master ATA pwd to a known value and try to reset it by any means
_without_ using the password.
</quote>
More details in this article: http://www.heise.de/ct/english/05/08/172/
So, hdd passwords are even easier to set up than filesystem level
encryption, and the key is not stored unencrypted on the hard disk (as
certainly will happen in suspend-to-disk). The question i was posing
was if anybody had tried this yet; theoretically it should work.
However, the devil lies in the details, and certain constellations don't
work, for whatever reasons, and I do recall reading in one of the linux
for laptop thinkpad faqs, that hdd passwords did not work.
So, to summarize, has anybody set their hdd password? No big deal -
I'll give it a shot, but I'd like to create an image of my harddrive
first, just in case (again, bad experiences mucking with partitions and
the hard drive in the past).
TIA,
vijay
David A. Desrosiers wrote:
>>>I thought I'd pose the question, although it has already been
>>>noted in some thinkpad linux faqs, but here goes: is it possible
>>>to use the hard-disk password with linux? I've heard the answer
>>>is no, but was wondering if there has been any progress on this
>>>front.
>>>
>>>
>
>
>
>>What would be the point? You can configure Linux to run without a
>>password.
>>
>>
>
> I think the point is to run Linux _with_ a password, and
>specifically to ensure that if someone takes his machine, they can't
>boot it up with KNOPPIX or similar forensics tools and get to the data
>on the disk.
>
> Of course this means he'll have to be using filesystem-level
>encryption on the disk and swap, but that's not hard to set up, and
>there is no way anyone can get to the data on the disk (in any
>readible way) without the key. A nice 8192 byte key should do nicely
>to thwart brute force for at least the next 50 years, after which
>you'll be dead anyway, and your secrets probably won't matter.
>
>
>
>David A. Desrosiers
>desrod@gnu-designs.com
>http://gnu-designs.com
>
>