Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny

To: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
Cc: Thomas Nguyen Van <t.nguyenvan@jumper.ie>, Jeroen van Dongen <jeroen@lbvd.nl>, debian-security@lists.debian.org
Subject: Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
From: Jonas Andradas <j.andradas@gmail.com>
Date: Mon, 24 Jan 2011 13:49:54 +0100
Message-id: <[🔎] AANLkTi=tUb849WNRkNpcdqjkN8VY=GMqEAVD__uaS43y@mail.gmail.com>
In-reply-to: <[🔎] 4D3D5D22.2080803@affinityvision.com.au>
References: <669549.20451295858737446.JavaMail.root@IRL-DUB-P-SRV-02> <[🔎] 9242449.20471295859095788.JavaMail.root@IRL-DUB-P-SRV-02> <[🔎] AANLkTi=pxm1x-e426zx3qfPoC2_a41DOB2Hq8bXZOmHT@mail.gmail.com> <[🔎] 4D3D5D22.2080803@affinityvision.com.au>

On Mon, Jan 24, 2011 at 12:06, Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:

Jonas Andradas wrote:

In particular, both "mandos" and "mandos-client" have Debian packages available.

[1] http://www.fukt.bsnet.se/mandos

That sounds interesting, but why not run the Mandos server ONLY when you are restarting machines. The Mandos server could be a tiny VM or even a boot from a USB thumb drive -- the USB could be locked away in a safe until required. A copy of the USB could be stored in a bank vault. The only time that the USB is needed is when you must restart a server or re-mount a file system protected by this scheme. No need to continually run a Mandos server anywhere.

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP

Hello Andrew,

however, having to start up the Mandos server in order for the host to start-up could defeat the purpose of Mandos itself, which is supposed to allow servers to start up autonomously, without human intervention. Of course, you could always have your monitoring software detect the server failure or reboot and as an action, trigger the startup of a Mandos VM. In this case, however, the Mandos server probably would not be full-disk encrypted (otherwise, it would need human intervention to start or another Mandos-server running somewhere), but maybe it would be possible to come up with an interesting setup to achieve this.

Best Regards,

--
Jonás Andradas

Skype: jontux
LinkedIn: http://www.linkedin.com/in/andradas
GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F
3F7F 4D87 9996 E0C6 9372
Keyservers: pgp.mit.edu | pgp.rediris.es

Reply to:

Follow-Ups:
- Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

References:
- Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
  - From: Thomas Nguyen Van <t.nguyenvan@jumper.ie>
- Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
  - From: Jonas Andradas <j.andradas@gmail.com>
- Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
Next by Date: Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
Previous by thread: Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
Next by thread: Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
Index(es):
- Date
- Thread