Mounting an encrypted volume presents the volume to all users on a machine
Richard W.M. Jones
rjones at redhat.com
Tue Oct 26 14:51:02 UTC 2010
On Tue, Oct 26, 2010 at 12:28:55AM +0200, nodata wrote:
> The default behaviour is that a user must know and supply a passphrase
> in order to mount an encrypted volume. This is good: know the
> passphrase, you get to mount the volume.
>
> What I am concerned about is that the volume is mounted for _every_ user
> on the system to see.
Another option is guestfish which has LUKS support now (in Fedora 14).
This works because guestfish runs another Linux kernel as the local
user, and you only pass the key to that kernel. The normal user
separation of Linux prevents another non-root user from gaining access
to the key.
As with all of the schemes discussed, root on the machine would still
be able to gain access. Local non-root users could also try their
hand at exploiting the host kernel -- usually easier to do than a
remote exploit -- or looking for some side channel such as keys being
leaked through process arguments. Local users + super-secret data is
not a great recipe for assured security.
Rich.
$ guestfish --ro -a F13x64Encrypted.img
Welcome to guestfish, the libguestfs filesystem interactive shell for
editing virtual machine filesystems.
Type: 'help' for a list of commands
'man' to read the manual
'quit' to quit the shell
><fs> run
><fs> list-partitions
/dev/vda1
/dev/vda2
><fs> luks-open /dev/sda2 encrypted
Enter key or passphrase ("key"):
><fs> vgscan
><fs> vg-activate true ""
><fs> lvs
/dev/vg_f13x64encrypted/lv_root
/dev/vg_f13x64encrypted/lv_swap
><fs> mount-options "" /dev/vg_f13x64encrypted/lv_root /
><fs> ll /home/
total 12
drwxr-xr-x. 3 root root 4096 Jul 21 12:00 .
dr-xr-xr-x. 24 root root 4096 Jul 21 12:01 ..
drwx------. 4 500 500 4096 Jul 21 12:00 rjones
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
More information about the devel
mailing list