Re: root fs/crypted

To: debian-security@lists.debian.org
Subject: Re: root fs/crypted
From: clemens <therapy@endorphin.org>
Date: Wed, 30 May 2001 14:25:12 +0200
Message-id: <20010530142512.A1661@ghanima.endorphin.org>
In-reply-to: <20010530030117.A6101@ghanima.endorphin.org>; from therapy@endorphin.org on Wed, May 30, 2001 at 03:01:17AM +0200
References: <20010530030117.A6101@ghanima.endorphin.org>

it should also be possible to include basic network support
into the initrd to enable 'entering' a password remote.
we can't support all methods allowed by /etc/network/interfaces
(ppp/wvdial should be omitted..) but static/dhcp/bootp are 
possible.
there authorization process could beneath reading /dev/console
also listen on an udp port.
local and remote station must share a secret(key) to allow secure 
communication. a couple of one time pads for maximum security
would be the best.

i don't want to drive through the whole city because someone
accidentally unplugged my box :)

On Wed, May 30, 2001 at 03:01:17AM +0200, clemens wrote:
> 
> SAWFASP^*
> 
> as laws around the globe are forged to weak personal privacy, 
> police knocking on one's door, because of portscanning a
> previously hacked website, and - i don't have to tell those
> of you, which are reading slashdot - as pretty strange things start
> to happend worldwide, i'm getting somewhat nervous about
> my data safety.
> 
> what i'm aiming at, you might ask? 
> debian should support a crypted rootfs right out
> of the box.
> 
> i'll try to grasp within a few words, what's necessary to realize this:
> 
> - the international kernel must be introduced as regular 
>   debian packages. 
> - the boot disks needs to be modified (just do a losetup
>   on some loopdev, and mount that one instead of the realrootdev)
> - of course, there must be an initrd to boot from, 
>   which accepts authentication information.
>   (this ramdisk has to be placed unencrypted on 
>    the rootfs, so the kernel code has to be circumwented or
>    the plain data has to be manually decrypted in usermode
>    to be re-encrypted to the original plain data when flushed 
>    to disk.. easy for EBC mode crypto but harder to
>    achieve for CBC mode - creative suggestions welcome)
> - there must be an alternative passphrase, since i nor
>   any user will be willing to trust one forgetable phrase.
>   (how many times have you forgotten your mobil phone pin?)
>   suggestion: the actual key will be random generated, and 
>   encrypted twice by two different passphrases/keys - one 
>   choosen by the user, one random generated - useful to write on 
>   a piece of paper and hide behind the bookshelf.
> 
> (probably i should crosspost to debian-legal. the 
> whole non-US issue has been left untouched)
> 
> what do YOU think?
> shell debian be the first(?) privacy enhanced distro?
> 
> clemens
> 
> ^* SAWFASP = searched archives without finding a similiar 
> posting

Reply to:

References:
- root fs/crypted
  - From: clemens <therapy@endorphin.org>

Prev by Date: Re: root fs/crypted
Next by Date: Re: root fs/crypted
Previous by thread: Re: root fs/crypted
Next by thread: Re: root fs/crypted
Index(es):
- Date
- Thread