Mageia forum

[oldcodger]

I want to prevent any miscreant that may steal my laptop from gaining access to the data contained on it?
I know I can remove the failsafe option from the grub menu, but it's no big deal to get round that.
I could put a password on the BIOS, again it's not difficult to get round that either.

Is there a way to remove the failsafe from the grub menu and prevent the command line route being used but still leave me with a back door to gain access if needs be?

Of course one could always use a live disk version of the OS to gain access, but, would they be able to gain full access without a root password?

I look forward to the replies on this one.

[digigold]

Best thing to do IMHO would be to only have any sensitive data on LUKS partions..

[doktor5000]

Of course one could always use a live disk version of the OS to gain access, but, would they be able to gain full access without a root password?

Sure, if you're root in that live disk (uid=0) then after you mount some partitions they belong to you. Easy as that.
Only way to defeat this is to implement encryption properly.

[oldcodger]

Why, yes of course. Encryption. Now why didn't I think of that.
Thank you for the quick and sensible response.

[oj]

Is there a way to remove the failsafe from the grub menu and prevent the command line route being used but still leave me with a back door to gain access if needs be?

For that part, you could set the grub delay to zero, so there would be no opportunity to bring up an options menu, where someone could gain root access in single user mode, for eg.

For the data itself, encryption is the only way to go. Make sure you make unencrypted backups of your data regularly, if something in the OS breaks you're likely to lose all the encrypted data.

[morgano]

It is not only the laptops that might be stolen...
Me and my wife use encryption on "everything" on all computers including server.
The speed penalty for encryption is negligible.
When istalling i set a 120MB ext4 partition as /boot, rest encrupted LUKS with LVM inside, and in that Ext4 partitions of /, /home, /swap, spare.
(It is possible with this setup to increase the partitions inside LVM while mounted using MCC, when needed)
For filesystem backup i have used fsarchive, that can encrypt the archive.
(I plan to move to something automatic and frequent, like Bacula or PCbackup)
And occasionally i make complete disk image files.
The (encrypted) backup drives get moved to a relatives home in case of theft/fire...
(Exception: the large drive with family photo albums, video, OS-install isos... is not encrypted and less backed up)

[oldcodger]

Yes, it is perfectly true that any computer can and does get stolen, however it's more likely that a laptop or similar device is stolen or lost because of sheer portability.
The data on my machines is not that secret yet a lot of it is personal and needs looking after.
If I was in business or a server of some kind then your methods are well worth the effort Morgano.
I wonder how many home PC users actually backup their data up off premises.