Luis Gomez - InfoEmergencias wrote:
We're already looking at that (btw, IIRC loop-aes is included into the
cryptoapi of kerneli.org). The problem is what Dariush points: if your
machine has the pass to mount the filesystem, someone can put the HD in
another machine, remove the root password, put the HD back in my
original server, boot it, login as root and access whatever content we
have there. Or just find the script that mounts the ciphered
filesystem, look at its password and mount the ciphered fs himself :-(
What about taking some computer / server specific things to generate the
password? Say, the mac address of the NIC, the CPUs ID, some other stuff
from the bios? Take all this things, make a md5 hash and use it as
password. Of course, it would not be very secure, as anyone that has
access to the computer could figure out how this password is put
together. It would rather be security by obscurity...
The built in certificates of a TWCP (or whatever it is called, you know
the hardware side of these palladium stuff) would come handy for such a
purpose...
Making the encryption key hardware dependent would make it a hard job to
decrypt the harddrive in another computer...