![](https://seccdn.libravatar.org/avatar/25bbc96d9c53647354cb724e744b2222.jpg?s=120&d=mm&r=g)
On 6/19/06, Sunny <sloncho@gmail.com> wrote:
On 6/19/06, jfweber@gilweber.com wrote:
On June Saturday 17 2006 3:59 pm, John R. Sowden wrote: ,snip>
I wonder tho, returning to the idea of encrypting the /boot area; Knoppix might still run, even tho it ought not do so. And that opens the whole hard drive , if it ( Knoppix) boots. Any one have any real life experience to help there? ( we are small company and so far as I can tell a laptop for testing will have to be a private personal purchase... <sigh> ( if we ever go big, I want a huge raise <g>)
If the case is just to not allow someone with no permanent physical access to the machine, just set the password for the BIOS, and in BIOS disable booting from CDROM, USB, floppy.
This will not help if someone has real physical access though, as he/she can open the machine and reset the BIOS password, or just unplug the HDD and attach it to another machine for reading. Then your only safeguard is encrypted fs.
I have not been tracking this thread, but there are a couple of physical harddisk solutions in addition to the above. First for several years, there have been laptop drives that require the user to enter a password via the bios before they will accept i/o commands. These drives have been common on some of the IBM laptops. They are not fool-proof because the data on the drive is not actually encrypted and a smart data theif can replace the drive electronics with a set of drive electronics that don't have the password set. Not trivial to do, but far from impossible. Also, I think Seagate for one sells laptop drives that do real encryption on the fly. This is much better because replacing the drive electronics won't help you. I'm not positive you can buy them or if there just vaporware, but check out the Seagate Momentus FDE (full drive encryption) laptop drives. http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf Greg -- Greg Freemyer The Norcross Group Forensics for the 21st Century -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com