Re: self-encrypting drives (SED)
Andrew McGlashan a écrit :
> 
> On 21/11/2015 1:59 PM, David Christensen wrote:
>> On 11/20/2015 01:04 AM, Pascal Hambourg wrote:
>>> Anyone with physical access can do whatever they want. You can
>>> set up restrictions in the BIOS or set restrictions in the boot
>>> loader, but they still can take the disk out and read or modify
>>> it with another machine.
>>>
>>> To protect against this you can use encryption or set up a
>>> password on the disk (ATA security functions). Note that
>>> encryption alone does not protect against tampering, as the boot
>>> part cannot be encrypted.
>>
>> As I understand it, self-encrypting drives (SED) encrypt
>> everything (including the boot partition).
> 
> You can do full disk enccryption, but you are right that you need
> something to "boot" ... my solution is to use dropbear which offers an
> ssh login via an authorized key; once I'm logged in to that
> mini-environment, I then unlock LUKS volumes and go forward from
> there.  Dropbear saves me from needing physical access to a keyboard
> on the server and negates the need for BIOS involvement.
What problem does it solve exactly, besides the need of a keyboard ?
I do not see how this "solution" protects against tampering of the
unencrypted boot part.
Reply to: