The Move To Linux

Easter79
• 阅读 521

One of the standards that has become normal in the US federal sector is the requirement that all mobile devices, such as laptops, have encrypted drives. This was a direct result of a number of laptop thefts earlier in the decade that resulted in the supposed leaking of personal information. As a former federal contractor, I watched a number of successful and not so successful methodologies implemented and deployed. Some resulted in real data protection and some resulted in wonderful bricks. In some cases on a regular (read daily) basis.
One of the more successful tools is the Trust Platform Module (TPM) chip. When properly implemented, it allows you to improve encryption, ensure that even if your disk is removed from your laptop, it is still secure and greatly enhances security. So, imagine my surprise, upon rejoining the private sector that my new company does not have a policy for encrypting laptops, even though almost every individual in the company has one.
I was issued a brand-new Dell, with a TPM chip and Windows XP on it. Of course, the first thing I did was download a copy of Fedora and set about reformatting the machine, including setting up the TPM and installing ext4 and enabling Linux disk encryption and went along my merry way, not really thinking about it. That was six months ago.
Like most laptop users, when disk space gets low, you have two options. Replace the disk with a larger one and reinstall or clone the disk to a larger one. After only six months, I was in no mood to do a reinstall, so I decided I would go the clone route. But wait, I had a TMP protected, encrypted disk. How was I supposed to do this? Surely this was a routine sort of thing. So I set out to the Internet and did some research. And was underwhelmed with what I discovered. Essentially, while there are a number of sites that will tell you how to clone your disk (something I am very familiar with), there are almost none that talk about the issues of encryption. Which left me in a bit of a quandary.
Finally, I decided to give it a shot and hope that I could make it work. The first question was what tool to use. I decided to go with dd because it does a bit for bit copy, rather than needing access to the file system. This is important because the disk, for the most part, is encrypted.
The other decision I made was to remove the disk from the machine and put it in a cage and put the second disk in a cage as well. I then booted the diskless machine with a LiveCD (I used Fedora 14 desktop) and connected the disks. Sure enough my encrypted disk popped up and I got an warning indicating that it was encrypted. I canceled the option to type in my password and connected my second disk and set to work doing the copy.
I was moving some 150 GB of disk from one machine to another, via USB. It took close to ten hours to do this successfully. So while dd worked, there are probably faster alternatives. Your mileage may vary.
After the copy was successful, I installed the new disk, pushed the power button and crossed my fingers. I am happy to report that the drive fired up, and after a successful password, decrypted itself and I was back in business.
But wait a minute.... Yes, what about the TPM chip? Remember that one of the things a TPM chip is supposed to do is prevent me from reading a disk not attached to the motherboard. I should not only not have been able to read it once mounted in the cage, I should not have been able to copy it at all - at least not to any sort of usable form. And I did. Why? Well, my leading thought is I did not set up the module correctly or that Dell has not set it up correctly to add the additional level of protection to the disk. It is also possible I did not install Linux in such a way to take advantage of the chip. In either case, while I am getting security through the Linux-based disk encryption, I am not getting any additional protection from the TPM chip.
The takeaways then are this. You can use dd to copy Linux-encrypted disks successfully. And never assume you are secure unless you test your security. Better yet, have someone else test it. Chances are you are not as secure as you think you are.

Using dd to clone an encrypted disk

These instructions assume you are using similar drive types (such as SATA), have access to a pair of cages or disk carriers, and a significant amount of time to copy the data.

1) Remove the disk you want to copy from the system and place it in a cage. This step is optional.

2) Set up your secondary disk in a cage.

3) Boot your system with a LiveCD. This will allow you to unmount the disks you are planning to clone, which is critical to a successful clone.

4) Open a couple of terminals. In one terminal su to root or execute the following command with sudo:

tail -f /var/log/messages

This will open a running window from your messages file, which is important for determining what disks are where as well as any error messages that are not logged to the console during the dd process. /var/log/messages is the default location for most OSs. Double check to see if it is the same for you.

5) Plug in your source drive and watch the log file for the name assigned to it. For example, if it is a SATA drive, and there are no other drives connected it will most likely pop up as /dev/sdb. (If you did not remove your drive, it is likely /dev/sda.)

6) Plug in the second drive and note its name. In my case it was /dev/sdc.

7) If you need to format your new drive, now is the time. Create a single partition, and make sure you choose ext4 as the file type. Once the disk is prepared, unmount both disks.

8) In a terminal, as root, run the following:

dd if=source drive of=destination drive

So:

dd if=/dev/sdb of=/dev/sdc

Go and prepare Thanksgiving dinner (and possibly get a leg up on Christmas dinner if you have a large disk).

9) Once the copy is complete (and you will know because the command prompt will come back), install your new disk into your machine and boot it up.

Best of luck!

点赞
收藏
评论区
推荐文章
blmius blmius
3年前
MySQL:[Err] 1292 - Incorrect datetime value: ‘0000-00-00 00:00:00‘ for column ‘CREATE_TIME‘ at row 1
文章目录问题用navicat导入数据时,报错:原因这是因为当前的MySQL不支持datetime为0的情况。解决修改sql\mode:sql\mode:SQLMode定义了MySQL应支持的SQL语法、数据校验等,这样可以更容易地在不同的环境中使用MySQL。全局s
Wesley13 Wesley13
3年前
java将前端的json数组字符串转换为列表
记录下在前端通过ajax提交了一个json数组的字符串,在后端如何转换为列表。前端数据转化与请求varcontracts{id:'1',name:'yanggb合同1'},{id:'2',name:'yanggb合同2'},{id:'3',name:'yang
皕杰报表之UUID
​在我们用皕杰报表工具设计填报报表时,如何在新增行里自动增加id呢?能新增整数排序id吗?目前可以在新增行里自动增加id,但只能用uuid函数增加UUID编码,不能新增整数排序id。uuid函数说明:获取一个UUID,可以在填报表中用来创建数据ID语法:uuid()或uuid(sep)参数说明:sep布尔值,生成的uuid中是否包含分隔符'',缺省为
待兔 待兔
5个月前
手写Java HashMap源码
HashMap的使用教程HashMap的使用教程HashMap的使用教程HashMap的使用教程HashMap的使用教程22
Jacquelyn38 Jacquelyn38
3年前
2020年前端实用代码段,为你的工作保驾护航
有空的时候,自己总结了几个代码段,在开发中也经常使用,谢谢。1、使用解构获取json数据let jsonData  id: 1,status: "OK",data: 'a', 'b';let  id, status, data: number   jsonData;console.log(id, status, number )
Wesley13 Wesley13
3年前
Java获得今日零时零分零秒的时间(Date型)
publicDatezeroTime()throwsParseException{    DatetimenewDate();    SimpleDateFormatsimpnewSimpleDateFormat("yyyyMMdd00:00:00");    SimpleDateFormatsimp2newS
Wesley13 Wesley13
3年前
mysql设置时区
mysql设置时区mysql\_query("SETtime\_zone'8:00'")ordie('时区设置失败,请联系管理员!');中国在东8区所以加8方法二:selectcount(user\_id)asdevice,CONVERT\_TZ(FROM\_UNIXTIME(reg\_time),'08:00','0
Wesley13 Wesley13
3年前
00:Java简单了解
浅谈Java之概述Java是SUN(StanfordUniversityNetwork),斯坦福大学网络公司)1995年推出的一门高级编程语言。Java是一种面向Internet的编程语言。随着Java技术在web方面的不断成熟,已经成为Web应用程序的首选开发语言。Java是简单易学,完全面向对象,安全可靠,与平台无关的编程语言。
Stella981 Stella981
3年前
Django中Admin中的一些参数配置
设置在列表中显示的字段,id为django模型默认的主键list_display('id','name','sex','profession','email','qq','phone','status','create_time')设置在列表可编辑字段list_editable
Wesley13 Wesley13
3年前
MySQL部分从库上面因为大量的临时表tmp_table造成慢查询
背景描述Time:20190124T00:08:14.70572408:00User@Host:@Id:Schema:sentrymetaLast_errno:0Killed:0Query_time:0.315758Lock_
Python进阶者 Python进阶者
11个月前
Excel中这日期老是出来00:00:00,怎么用Pandas把这个去除
大家好,我是皮皮。一、前言前几天在Python白银交流群【上海新年人】问了一个Pandas数据筛选的问题。问题如下:这日期老是出来00:00:00,怎么把这个去除。二、实现过程后来【论草莓如何成为冻干莓】给了一个思路和代码如下:pd.toexcel之前把这
Easter79
Easter79
Lv1
今生可爱与温柔,每一样都不能少。
文章
2.8k
粉丝
5
获赞
1.2k