Hello,
On Mon, Sep 17, 2018 at 08:00:50PM +0200, Pascal Hambourg wrote:
> Le 16/09/2018 à 00:39, Andy Smith a écrit :
> >
> >The obvious problem there is an attacker who gets hold of the
> >initramfs in order to be able to use the credentials to request the
> >passphrase themselves.
[…]
> > https://wiki.recompile.se/wiki/Mandos
> How dos this address the above concern ?
It is of course impossible to have both entirely automated unlocking
and perfect protection against someone taking the credentials from
the unencrypted bootstrap environment.
Having a script in your initramfs that unlocks your encrypted
filesystem provides no protection at all from someone who obtains a
copy of your initramfs and your encrypted filesystem.
You could add some more protection by using an online key/value
store instead of hard-coded credentials, since the key/value server
could also enforce things other than simple access to a file. For
example, it could require the request to come from a certain IP
address.
Using something like Mandos is another step along this path, by
requiring the unlock attempt to come within some short time period
since the last time your server checked in. It has shifted the
requirements from "have a copy of the encrypted filesystem and a
copy of the initramfs" to "have a copy of the encrypted filesystem
and the initramfs and be able to talk to the Mandos server from the
correct IP address within the required time interval". All it can do
is make the attack harder, not make it impossible.
It also clearly adds a lot of opportunities for you to permanently
lock yourself out of the encrypted filesystem by accident, unless
you take the precaution of having another set of credentials for
"emergency manual unlock" that you keep elsewhere.
An attacker who is aware of requirements such as where the secrets
server is, how to interact with it, where requests must come from,
time window in which requests must be made, etc is not going to be
defeated. Mandos's argument seems to be that such attackers are rare
and will probably just use the law or techniques like memory dumping
in preference to all that anyway.
https://www.recompile.se/mandos/man/intro.8mandos
"FREQUENTLY ASKED QUESTIONS
Couldn't the security be defeated by…
Grabbing the Mandos client key from the initrd really quickly?
This, as mentioned above, is the only real weak point. But if
you set the timing values tight enough, this will be really
difficult to do. An attacker would have to physically
disassemble the client computer, extract the key from the
initial RAM disk image, and then connect to a still online
Mandos server to get the encrypted key, and do all this before
the Mandos server timeout kicks in and the Mandos server refuses
to give out the key to anyone.
Now, as the typical procedure seems to be to barge in and turn
off and grab all computers, to maybe look at them months later,
this is not likely. If someone does that, the whole system will
lock itself up completely, since Mandos servers are no longer
running.
For sophisticated attackers who could do the clever thing, and
had physical access to the server for enough time, it would be
simpler to get a key for an encrypted file system by using
hardware memory scanners and reading it right off the memory
bus."
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
It can be modified for initramfs.