Re: Keeping files away from users

[Marcel Weber <mmweber@ncpro.com>]

Luis Gomez - InfoEmergencias wrote:

> We're already looking at that (btw, IIRC loop-aes is included into the 
> cryptoapi of kerneli.org). The problem is what Dariush points: if your 
> machine has the pass to mount the filesystem, someone can put the HD in 
> another machine, remove the root password, put the HD back in my original 
> server, boot it, login as root and access whatever content we have there. Or 
> just find the script that mounts the ciphered filesystem, look at its 
> password and mount the ciphered fs himself :-(

What about taking some computer / server specific things to generate the 
password? Say, the mac address of the NIC, the CPUs ID, some other stuff 
from the bios? Take all this things, make a md5 hash and use it as 
password. Of course, it would not be very secure, as anyone that has 
access to the computer could figure out how this password is put 
together. It would rather be security by obscurity...

The built in certificates of a TWCP (or whatever it is called, you know 
the hardware side of these palladium stuff) would come handy for such a 
purpose...

Making the encryption key hardware dependent would make it a hard job to 
decrypt the harddrive in another computer...

Marcel