Preventing from accessing data offline from live CD

Dear Friends.

I am customizing Kubuntu 12.04. here is my requirement that I want to prevent my system that if anybody boots with live CD or USB then my kubuntu installed pc must not show my existing HDD data or drive.

I mean after booting the kubuntu 12.04 installed PC with Live CD or USB, the guset OS (let it be any one) must not have access to original DATA in HDD.

How can i Do this please help.........................

I am reasonably sure that none of this is possible. If you simply want no one other than you from being able to use your PC, then enabling/setting a boot time password (BIOS password) is the only way I know of.

Encrypt the drive or take it with you when you leave the computer.

Don't have a hard drive installed. Boot from a live USB and take it with you when you leave the PC.

Snowhog's and oshunluvr's answers are technically correct.

What is the reason for your wanting such restrictions?

I have a similar question as in your other post. You are asking for particular technical solutions, but we can likely provide better advice if you step back from the methods and explain the reasoning behind your requests. What problem do you want to solve? What risks do you face, or think you might face?

No friends snowhog's answer is not correct. I have seen the same thing and now I want to know that how it has been done. He is not teaching his technique. I am just going to harden My PC and it is the requirement of my organization.

Please give a correct answer apart from doing this I have no option.

We have a language issue here; ours, not yours. We speak English, and it appears that English is not your native language.

We do want to assit you, IF we can determine exactly what your needs are. Even then, once fully understood what your needs are, it may be that what you need can't be accomplished.

So when the ninja hacker breaks into the consulate house... uh never mind, I been watching James Bond on NetFlix this month. lol

dear friend snowhog

yes English is not my native language.

I am customizing a kubuntu 12.04 LTS for few PC of my company. for security reasons my company don't allow any employ to install any other OS except customized by me. and I was also ordered to do the same technically that no one can use other OS. my boss has seen the same in another company and I have googled it but found nothing. now its a challenge for me to do this I will be very gladful to you ..

Thanks

@farjibaba: I'm going to combine this thread with your other one, because you're really asking the same question in muliple ways. Then I will reply in the combined thread.

Now this is helpful, because we can frame an appropriate response.

Regardless of what your boss saw (or believes he saw), there's one very important axiom that you must remember: physical access to a machine trumps nearly every security control that you might otherwise put in place. You can lock down a PC very tightly, yes. But once you hand that PC to another person, nearly all of the security can be undone. I'm speaking from experience here, as an information security professional with nearly two decades of experience in the area.

The firmware in every modern PC allows the user to press a key during startup to interrupt the boot sequence. A user could insert a USB drive with an alternate operating system, boot that drive, and circumvent all the security controls configured on the operating system installed to the hard drive. Various protection methods can make this a difficult task to accomplish. Let's consider them.

Firmware passwords can limit a user's ability to manipulate the boot sequence. When a firmware password is enabled, it's possible to prevent booting an alternate operating system installed on a second storage device. However, firmware passwords are weak. You can remove the internal CMOS battery, which supplies power to a small bit of memory that maintains the settings. Once the circuit capacitors have discharged, the firmware returns to its stock configuration, and the password is lost. Now the user can alter the boot sequence and start a foreign operating system.

Starting a foreign operating system allows the user to do anything he or she wants to with the hard drive in the computer and the operating system installed on it. This includes reading and writing data on the hard drive. You can prevent reading/writing data by encrypting the volumes on the drive's partitions. The encryption method must ultimately rely on a key or password that lives outside the hard drive itself. This could be stored on a small USB that must be present when the computer boots, or it could be stored in the user's brain (like a password). Otherwise, if the volume encryption key lives completely in an unencrypted boot volume, then it will be discoverable and can be used to decrypt the encrypted volume. The only way to encrypt the boot volume is by using a mechanism that can prompt the user to supply the key during boot.

Starting a foreign operating system also allows the user to install another operating system to the hard drive. The currently installed operating system is powerless to stop this, because it isn't even running now. Volume encryption can possibly thwart this attack, depending on the goal. To install another operating system, the user must first shrink the size of an existing partition to make room for another one. Shrinking a partition that contains an encrypted volume usually results in destruction of the data on that volume. If that volume contained the original operating system, it will no longer boot. Thus, if the goal were to keep both operating systems or maintain existing data, the attack breaks the goal. If the goal were simply to get around the installed operating system, the attack attains the goal: the newly installed operating system will boot.

If you're willing to explore a feature in most modern PCs known as the Trusted Platform Module (TPM), you can erect a number of barriers that make it more difficult for the user to circumvent PC security. After you have installed Kubuntu onto a PC, you can enable the TPM in firmware, clear the TPM, take ownership of the TPM, and then configure it. You must do these steps on each PC. Taking ownership configures a password and key in the TPM itself, which lives distinct from the hard drive. Once owned, the TPM cannot be cleared without knowledge of this password -- so you should not share it with the user.

A TPM has multiple levels of keying material and performs attestation during boot. When you boot the computer after first enabling the TPM, the TPM measures multiple aspects of the boot process and stores these results in platform configuration registers (PCRs) on the TPM. Then during every subsequent boot, the TPM performs the same measurements as before and compares these with the previously stored results -- this is the attestation phase. If any of the measurements fail to match, the TPM will halt the boot process. Attestation can fail under a variety of circumstances. If the user attempts to modify firmware settings, attestation fails. If the user attempts to boot a foreign operating system on a USB drive, attestation fails. If the user attempts to disable the TPM, either in the operating system or in the firmware, knowledge of both the storage root key and owner password is required.

Also, the TPM can be configured to store additional keys not related to the boot process. For instance, you can store LUKS volume encryption keys in the TPM and use modified version of GRUB to extract the key and thereby decrypt the volume. (This is very similar to how BitLocker on Windows uses a TPM, too -- both for boot attestation and for storing volume encryption keys.)

Using a TPM can get you very close to your stated goals. However, early TPM implementations (1.0, 1.1, 1.2) have been broken in laboratory settings and requires not only physical access but specialized hardware knowledge and skills. New malware can actually spoof the firmware into believing that it hasn't been tampered with even though it actually has, thus permitting complete TPM bypass.

I point out these facts because you must acknolwedge that there is no such thing as completely unbreakable security. Various methods of locking down a PC can make it incrementally more difficult for an attacker to violate your policies. They also make it more difficult for the user to do his or her normal job. You must take these tradeoffs into account when designing a PC security strategy. Developing a strategy requires practice and will take time. It took me an hour just to type this post in the thread, and I've been working in the security arena for a very long time. You will need to invest time of your own to learn about threats, risks, mitigations, and trade-offs.

dear snowhog

You are right english is not my native language.
I am customizating kubuntu 12.04 LTS for my company. and due to security reason it is advised that no employ should be able to install another OS except customized one. and i was also ordered to do enable such security that no one can install the another OS if installed that OS must not be boot. or if the both condition should not fulfilled then my custonized OS should not boot.
This is my actual requirement and my boss has seen same feature in another customized OS. that OS is also customized in Kubuntu 12.04. and those people has refused to tell me the method that how they have done.