I'm considering writing a hint.

maxwell_ at fastmail.fm maxwell_ at fastmail.fm
Tue Jan 11 09:02:21 PST 2011


Thanks for the reply, Andy.

I know, I know... nothing is completely safe.  And then you figure, if
they can't get to your OS, then they'll get to you through your
hardware.  The best bet would be to do away with using computers
altogether.

As for the differences between my potential hint and Lars'... To be
honest, there isn't much of a difference, but I can think of a couple. 
First, in my hint, you don't need to have a dedicated hard drive on the
machine at all.  You can just boot off the USB drive and then use the
machine without any disks.  How is this helpful?  Well, you could
potentially use my system anywhere you go (with the proper modules
compiled)... boot it off of a library computer, do your thing, and
leave.

The other difference is that since the OS is in RAM, if someone were to
hack into your computer through the network while you're online and
install a keylogger or trojan, it would be gone the next time you boot
up.  Changes are not persistent.  I don't know how common software
keyloggers or trojans are in Linux, but there you go...

It's actually not all that hard to set up an initrd.  I'm a total hack,
and I figured out how to do all of this by slamming my head against a
wall for a few months.
-- 
  
  maxwell_ at fastmail.fm


On Tue, 11 Jan 2011 16:37 +0000, "Andrew Benton" <b3nton at gmail.com>
wrote:
> On Tue, 11 Jan 2011 08:06:52 -0800
> maxwell_ at fastmail.fm wrote:
> 
> > Hello fellow LFS users.
> > 
> > Fist off, I am new to these lists, but I made my first LFS system
> > several years ago.  I have no idea which version it was.  I didn't go
> > very far beyond LFS at that time, and ended up going back to using
> > Windows (god forbid) because it just worked out of the box (barely)
> > without really having to mess with it too much.  I then moved on to
> > using Ubuntu for security reasons, having a huge lack of trust for
> > Microsoft and really anybody in this post 9/11 era.  I now assume that
> > all Windows operating systems are just a huge government backdoor. 
> > 
> > As you may have guessed by now, I am big on keeping my information
> > private.  I do not like how computers open up new doors for governments
> > to spy on their citizens.
> 
> Don't put away you tin-foil hat just yet, I gather that the NSA submit
> code to the linux kernel...
> 
> > I have installed an BLFS system, with all of the programs I want,
> > tailored just the way I like it.  But rather than keeping this system on
> > a hard disk, which someone could examine and potentially steal my data,
> > or learn about me and my habits... by looking at my browser cache, or
> > forensically examining the drive for documents I've written, I use a 4GB
> > USB thumb drive with a 128MB boot partition, and the rest of the drive
> > (3.8GB+) is a Truecrypt-encrypted partition.  My BLFS system is squashed
> > using Squashfs and is copied to the encrypted partition.
> > 
> > Here's how my boot process works:
> > 
> > I plug my thumb drive into my machine and turn it on.  I press F12 or
> > whatever to boot off of the thumb drive.  I have an initrd.gz in my boot
> > directory with Truecrypt in /bin.  The linuxrc calls Truecrypt to mount
> > /dev/sdb2 (the encrypted partition).  It prompts me for the password.  I
> > enter the password.  The partition is mounted read-only.  The linuxrc
> > creates a 1GB+ ramdisk and then copies the entire operating system (the
> > squashfs filestyem) from the encrypted partition to the ramdisk.  Next,
> > it dismounts the Truecrypt volume, so I can remove the USB thumb drive
> > if I want to.  Then it mounts the squashfs filesytem using AUFS, and
> > then pivot-roots to that system.  From there, the OS boots as usual.  If
> > you don't use AUFS to mount it, then the OS won't be writable, as
> > Squashfs is a read-only filesystem, and it won't work.
> > 
> > So what have I done?  My entire OS exists in RAM.  Once the machine is
> > powered off, it's like a LiveCD in that everything is gone... not a
> > trace of anything I've done is left.  But rather than it being some
> > LiveCd of some random Linux distro-of-the-day, it is my own, custom BLFS
> > system.
> 
> I've not tried encrypting a root partition (I think setting up an
> initrd looks hard...) so I don't know the ins and outs of it all, 
> how is this different from Lars Bamberger's hint?
> http://www.linuxfromscratch.org/hints/downloads/files/crypt-rootfs.txt
> 
> Andy
> -- 
> http://linuxfromscratch.org/mailman/listinfo/lfs-chat
> FAQ: http://www.linuxfromscratch.org/faq/
> Unsubscribe: See the above information page
> 

-- 
http://www.fastmail.fm - Same, same, but different...




More information about the lfs-chat mailing list