Re: Serveur with encrypted partition : 2 steps boot.
- To: debian-user@lists.debian.org
- Subject: Re: Serveur with encrypted partition : 2 steps boot.
- From: Richard Hector <richard@walnut.gen.nz>
- Date: Wed, 08 May 2013 16:53:25 +1200
- Message-id: <[🔎] 5189DA45.70703@walnut.gen.nz>
- In-reply-to: <20130416231552.GA4559@hysteria.proulx.com>
- References: <20130411062556.GB11228@hysteria.proulx.com> <20130411072230.GH4984@rail.eu.org> <701059D1-4FA8-4473-8797-EE29C3464A2C@pobox.com> <516707F2.9070207@rail.eu.org> <9EEFA67F-AEE7-4C68-97EA-F2DDD8EF9FBF@pobox.com> <20130412075317.GK4984@rail.eu.org> <20130412150038.GB6002@tal> <516866F1.8000003@rail.eu.org> <9BFCD36A-4D0E-4747-9BB9-FAD21069A384@pobox.com> <51693146.8000204@rail.eu.org> <20130416231552.GA4559@hysteria.proulx.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 17/04/13 11:15, Bob Proulx wrote:
> In any case... I wanted to add an additional comment. I have
> been thinking of doing something like this myself. I haven't done
> it yet but if I were implementing this then I think I would have
> the server contact a central machine elsewhere on the network to
> get the keys to decrypt and mount the encrypted partitions. I am
> not sure what the best mechanics would be to implement it. But I
> think as soon as networking came online I would have the remote
> server with the encrypted disks contact a different server that I
> controlled. Have it pull the keys for the partition from there.
> Then automatically mount the partitions. Then have it continue the
> boot process normally and start the daemons normally.
>
> That way the machine can be rebooted in an automated way without
> trouble. I would have them go through automatically. Then on a
> normal reboot the machine would mostly behave normally. But if
> the machine were stolen it wouldn't be able to get the keys and
> wouldn't be able to decrypt that disk.
>
> Lock the key server to the remote server's IP address. The
> machine could also block waiting for the external keys and allow
> you to acknowledge them if you wanted the extra security. After
> acknowledging them the machine would continue to boot normally.
>
> If the machine were stolen then the encrypted partition would not
> be unlocked automatically since it would then come from a different
> IP address. However knowing that IP address would give you a trail
> to the thief.
This is, like many things you post, really interesting. Do you have a
blog, to make these things easier to find?
Richard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQEcBAEBAgAGBQJRido7AAoJELSi8I/scBaN3UsH/2R/rB29S+ismTXAZhw4gUqG
+pfIbHkEzkcrPGQbAalHQoVGpWHUIIOspSpmpXFg3mPumW09MzwlGQwNcJIqUtxa
NLbvZn64XT9a0pZjdkx8CvgjRt2t3UDxAJTzGCLmLhk8S7KLahREvyBE3BjO3711
zmaA0QnojVnO1L7tXRmKfadDjLRnCUifdMVI2ZdHhlrnL9yFYvV6yipKZ9lzuwAB
Zdiv89xX63SvvpN4Ld+E2A7D5swx78Gl+WYlo1NBTFppPfUH/C9Xoue3uxBcvnEv
gfJ7uOTGZkD3a0thkA8k1x6pOcLsj9AC6eh51zXjonA+l+oR5EqNbvLRnUAWN3Q=
=ovAq
-----END PGP SIGNATURE-----
Reply to: