Secure LiveCD system - HOW TO make hard drive spin UP/DOWN

[Webtest]

Over a month ago, I posted the following post regarding my hard drive that I keep trying to spin down, but it always spins back up every 30 minutes. Here is a link to the post: http://forums.linuxmint.com/viewtopic.php?f=90&t=48643

There were ZERO replies to this post, but don't feel bad because I also posted this information to the gvfs mailing list (http://mail.gnome.org/mailman/listinfo/gvfs-list) and got ZERO responses there as well.

In the mean time, I kept looking for whatever way possible to keep the hard drive spun down. If I couldn't keep the daemon (or whatever was the cause) from spinning the drive back up, maybe there was a way of "incapacitating" the drive itself. I came across a pretty good web site:
http://linuxmafia.com/pub/linux/suse-li ... pter2.html
SuSE Linux Internals, Terrehon Bowden, Bodo Bauer
This at least gave me the correct terminology to use in a Google search where I found ...
http://www.faqs.org/docs/Linux-HOWTO/SC ... HOWTO.html
dgilbert at interlog dot com
The Linux SCSI Generic (sg) HOWTO
SCSI version - Mint 8: 30534 3.5.34 [20061027]

This got me very close, as it discusses some of the internal operations of the SCSI driver on the hardware. It in turn led me to a search which found the Red Hat documentation site at:
http://www.redhat.com/docs/en-US/Red_Ha ... vices.html
This was the best reference of all, and it almost nailed the solution to the problem. It discussed the "/proc" directory and showed:

Code: Select all

mint mint # cat /proc/scsi/sg/devices
host	chan	id	lun	type	opens	qdepth	busy	online
0	0	0	0	0	1	1	0	1

Ah! If there is a flag for the device 'ONline, there must be some way to set if "OFFline", and if I could do that, what would happen? After a couple of more hours searching, reading, and testing, I finally came up with a most excellent solution:

Code: Select all

# The command to set the hard drive device offline can ONLY be run in root. "sudo echo" will NOT work!
mint@mint ~ $ sudo -i
# Spin the hard drive down ... I figured this out a month ago ... must be done while ONline
mint ~ # hdparm -y /dev/sda
/dev/sda
issuing standby command
# Set the hard drive OFFline
mint ~ # echo offline > /sys/block/sda/device/state
# Make sure the device received the command [optional]
mint ~ # cat /sys/block/sda/device/state
offline

OK! Major success. I presume the daemon still tries to 'tick' the drive, but the system ran just fine for several hours with the drive continuously spun down and offline.

Now, if I could set the drive OFFline, could I get it back spinning again? Again the answer is absolutely YES, but there is a trick to it. You can NOT set the drive ONline! I noticed that the state before I set it offline was "running", so, I ran the 'echo' command to pass "running" to SDA, and it worked perfectly. Once the drive is online (i.e. 'running'), I can spin it up and mount it by accessing the drive in the 'Places' list in the Gnome Nautilus File Browser.

Code: Select all

# Set the hard drive ONline
mint ~ # echo running > /sys/block/sda/device/state

So, now I have a totally secure web browsing system ... my system is securly locked on an SD flash memory card, and while I am connected to the internet, my hard drive is totally inaccessible, however, I can still spin up and remount the drive whenever I want. I still have a few more things I want to do, but the important tasks are finally accomplished.

Blessings in abundance, all the best, and ENJOY!
Art in Carlisle PA USA

[piratesmack]

Thanks, works great.

I just tried this from a Knoppix live cd, but I used 'hdparm -Y' (The man page says this completely turns the hard drive off).
Hopefully this will give me a little extra battery life

[larsp]

Thanks for sharing your research webtest! Your solution is exactly what I was hoping to find!

I just upgraded my home server from a slow headless NAS running embedded debian, to some new hardware that is strong enough to also be my HTPC, so I decided to run Linux Mint 10 to get a pretty desktop as well as the server functionality, and wow does it run great!

One of the things my server do is a nightly backup of important data to an ESATA drive, using rsync to make daily hardlinked backup folders. I have written a script that mounts the drive, does the backup, then unmounts it and spins it down to save power and reduce noise. About once a week, I physically remove the external drive and swap it with a similar drive I have in my drawer, to get even more backup safety.

... however ... deamon(s) in Linux Mint ruined the spin down part... that is, until I found this solution. Now my script is even stronger, because the drive is completely offline and even more free of harms way, until the script does its magic

Getting stuff like this working is what makes Linux so great and rewarding!

Best regards,
Lars

BTW: In my backup script, I added a check on the umount command exit value before performing the offline trick. If umount fails, I don't think it is clever to brutally offline the drive. Something may be accessing the filesystem for some reason.

[Webtest]

I think I was a teacher in my previous incarnation! I enjoy sharing almost as much as I enjoy finding knowledgeable and helpful people on the forums who help me to find solutions.

One caution ... On Mint 10, when I boot up my secure system off of the locked SD card, very shortly after I type in the command to spin down the drive, something in the system "touches" the drive and spins it back up! I haven't taken the time to figure out the timing ... it may just be a coincidence where the I just happen to type in the commands a little faster than it takes the system to "touch" the drive. Anyway, I just recall the previous command and spin it down again, and then take it offline. I can actually hear the drive in my system so it is no problem, but this is a warning for anyone who can't hear the drive spin up or down. It would be an interesting problem to figure out the difference between Mint 8 and 10 and how to keep this from happening. It doesn't bother me much because I mostly use Mint 8, and it doesn't touch the drive and spin it up for about a half an hour after I spin it down.

Blessings in abundance, all the best, and ENJOY!
Art in Carlisle PA, USA

[DrHu]

So, now I have a totally secure web browsing system ... my system is securly locked on an SD flash memory card, and while I am connected to the internet, my hard drive is totally inaccessible, however

Good story, but nothing really to do with securing your system from the Internet

• Just relying on the Linux IPTABLES + your router should be enough

--I might even through in an encrypted hard drive area; that to me seems to be the most secure method

I would ask you this, if you thought someone could get yo your hard drive from the Internet, why don't you think they could spin up the hard drive, and just grab some data from it

[Webtest]

Dr. Hu ...

if you thought someone could get to your hard drive from the Internet, why don't you think they could spin up the hard drive

I am paranoid, but not quite THAT paranoid! First of all, I am running Linux, not Windows, so there is less risk. Secondly, the filesystem that is running is unusual in that it is a ramdisk and not a hard drive (I don't really care what happens to the ramdisk since the time between reboots is about an hour). Beyond that, someone would have to break into the system and then try to figure out that the hard drive is offline AND that it is spun down. Also, when I walk away from the system, I never leave it online, so while I am at the computer I can hear the drive spin up. That would get my attention immediately. I am not worried about any data that I have on the drive ... it is a Windows system, and I just absolutely don't want any viruses planted on it. I do use it for my iTunes account but never for any banking or other credit card activity.

One major surprise I learned a few days ago is that the "Lock" switch on an SD card is NOT a hardware lock on the card! It merely provides a status signal to the OS, which then determines how to handle data writes to the card. I will be checking on that later this week. Your comment on the IPTABLES sounds interesting and I will investigate that also. Hopefully, in a month or two I will be able to spin my own uncompressed LiveCD system ... that is my next major objective! When I can do that, I will write a step-by-step tutorial on how to do it.

Thanks for your interesting comments.
Blessings in abundance, all the best, & ENJOY!
Art in Carlisle PA, USA

[Habitual]

Art:

Props for your perseverance.
Most people just come here to whine and moan, but you saw it through.
Much respect.
+1

[Webtest]

Esteemed Forum Participants & Lurkers:
Since my last post to this thread I added a third step to my hard drive shtudown, AND I was able to fully automate it! The 3 steps are:

* Spin down the drive
* Mark the drive offline immediately after the spindown
* DELETE the device completely!

Here is the script that I run in a Terminal window to do this. It can be run by any user with sudo privileges. It is marked as executable, so clicking on the icon and selecting "Run in terminal" works just fine. The "sleep 5" at the end keeps the Terminal window open just long enough to confirm the results.

Code: Select all

#!/bin/sh
# Run as user mint IN TERMINAL WINDOW WITH:    ./hdoff
#
# http://stackoverflow.com/questions/84882/sudo-echo-something-etc-privilegedfile-doesnt-work-is-there-an-alterna
# https://blogs.oracle.com/joshis/entry/sudo_echo_does_not_work
# sudo sh -c 'echo "text" > file'

echo 
echo "Drive sda is:"
cat /sys/block/sda/device/state
echo
sudo hdparm -y /dev/sda; sudo sh -c 'echo offline > /sys/block/sda/device/state'
echo
echo "Drive sda is:"
cat /sys/block/sda/device/state
echo
sudo sh -c 'echo 1 > /sys/block/sda/device/delete'
echo 'Drive sda is ->  DELETED  <- if  "No such file or directory"'
cat /sys/block/sda/device/state
echo
echo
sleep 5

Note the unusual format of the echo commands that need to be run as SuperUser ...
sudo sh -c 'echo offline > /sys/block/sda/device/state'
there are a lot of discussions regarding this on the internet ... 2 of the links are in my code comments. In this format, the privileged command can be run by any user with sudo privileges.

Hopefully this will help some other newbie in the future!
Blessings in abundance, all the best, & ENJOY!
Art in Carlisle PA USA