Re: Serveur with encrypted partition : 2 steps boot.

To: debian-user@lists.debian.org
Subject: Re: Serveur with encrypted partition : 2 steps boot.
From: Richard Hector <richard@walnut.gen.nz>
Date: Wed, 08 May 2013 16:53:25 +1200
Message-id: <[🔎] 5189DA45.70703@walnut.gen.nz>
In-reply-to: <20130416231552.GA4559@hysteria.proulx.com>
References: <20130411062556.GB11228@hysteria.proulx.com> <20130411072230.GH4984@rail.eu.org> <701059D1-4FA8-4473-8797-EE29C3464A2C@pobox.com> <516707F2.9070207@rail.eu.org> <9EEFA67F-AEE7-4C68-97EA-F2DDD8EF9FBF@pobox.com> <20130412075317.GK4984@rail.eu.org> <20130412150038.GB6002@tal> <516866F1.8000003@rail.eu.org> <9BFCD36A-4D0E-4747-9BB9-FAD21069A384@pobox.com> <51693146.8000204@rail.eu.org> <20130416231552.GA4559@hysteria.proulx.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/04/13 11:15, Bob Proulx wrote:
> In any case...  I wanted to add an additional comment.  I have
> been thinking of doing something like this myself.  I haven't done
> it yet but if I were implementing this then I think I would have
> the server contact a central machine elsewhere on the network to
> get the keys to decrypt and mount the encrypted partitions.  I am
> not sure what the best mechanics would be to implement it.  But I
> think as soon as networking came online I would have the remote
> server with the encrypted disks contact a different server that I
> controlled.  Have it pull the keys for the partition from there.
> Then automatically mount the partitions.  Then have it continue the
> boot process normally and start the daemons normally.
> 
> That way the machine can be rebooted in an automated way without 
> trouble.  I would have them go through automatically.  Then on a 
> normal reboot the machine would mostly behave normally.  But if
> the machine were stolen it wouldn't be able to get the keys and
> wouldn't be able to decrypt that disk.
> 
> Lock the key server to the remote server's IP address.  The
> machine could also block waiting for the external keys and allow
> you to acknowledge them if you wanted the extra security.  After 
> acknowledging them the machine would continue to boot normally.
> 
> If the machine were stolen then the encrypted partition would not
> be unlocked automatically since it would then come from a different
> IP address.  However knowing that IP address would give you a trail
> to the thief.

This is, like many things you post, really interesting. Do you have a
blog, to make these things easier to find?

Richard

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBAgAGBQJRido7AAoJELSi8I/scBaN3UsH/2R/rB29S+ismTXAZhw4gUqG
+pfIbHkEzkcrPGQbAalHQoVGpWHUIIOspSpmpXFg3mPumW09MzwlGQwNcJIqUtxa
NLbvZn64XT9a0pZjdkx8CvgjRt2t3UDxAJTzGCLmLhk8S7KLahREvyBE3BjO3711
zmaA0QnojVnO1L7tXRmKfadDjLRnCUifdMVI2ZdHhlrnL9yFYvV6yipKZ9lzuwAB
Zdiv89xX63SvvpN4Ld+E2A7D5swx78Gl+WYlo1NBTFppPfUH/C9Xoue3uxBcvnEv
gfJ7uOTGZkD3a0thkA8k1x6pOcLsj9AC6eh51zXjonA+l+oR5EqNbvLRnUAWN3Q=
=ovAq
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Serveur with encrypted partition : 2 steps boot.
  - From: Bob Proulx <bob@proulx.com>

Prev by Date: Re: installing from iso on partition to another partition, avoiding all access to usb
Next by Date: Re: Debian 7 Wheezy Stable Relelased
Previous by thread: Re: No difference between Wheezy Live Free ISO and Nonfree ISO?
Next by thread: Re: Serveur with encrypted partition : 2 steps boot.
Index(es):
- Date
- Thread