Re: encrpyt harddrive without passphrase/userinput
Hello,
Am Sonntag, 26. Februar 2006 23:26 schrieb Mario Ohnewald:
> On Sun, 2006-02-26 at 14:13 -0800, Stephan Wehner wrote:
> > Who is going to be booting this machine??
>
> It´s a server. It is supposed to be online all the time.
> Once turned on it will run till someone reboots its remotely or due to
> power failure or something alike.
>
> The whole scenario can be pictured like this:
>
> Put your server in a corner of a street and secure it. In case someone
> hits the reset button it needs to be able to boot automatically without
> user input.
>
> In a nutshell: Secure it without physical security and user input.
>
> I guess it can`t be done?! :(
- Install some minimal Linux.
- Install Debian chroot'ed and encrypted.
- If the server boot's, the minimal Linux is booted.
- The Info needed to decrypt and mount the is transfered across the network.
There are two scenarios I can think of:
a) You get an email when the server has booted the minimal Linux (and sends
you a mail, etc.). After that you verify, that the server has not been
stolen, and send the secret via ssh.
pro: maximum security. cons: downtime.
If you've two or more server at different locations, connected via heartbeat,
that can replace each other, this probably is the best solution I know.
b) Your server gets its secret via ssh from an another , physical secure
server automatically. If the server is reported as stolen, you can delete it
or deny access. You may archive extra security by evaluating the network
topology before granting access to your secure server. (If you're server is
stolen and connected to the internet, you probably hop across different
routers to get there) - however, this requires some effort monitoring your
ISPs routes.
pro: Boots without any interaction
cons: Less secure
Keep smiling
yanosz
Reply to: