Date: Fri, 16 May 2003 00:37:48 +0300 (EEST) From: Narvi <narvi@haldjas.folklore.ee> To: Terry Lambert <tlambert2@mindspring.com> Cc: Stalker <stalker@ents.za.net> Subject: Re: Crypted Disk Question Message-ID: <20030515185823.X40030-100000@haldjas.folklore.ee> In-Reply-To: <3EC35ACB.BFA5DE86@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 May 2003, Terry Lambert wrote: > Narvi wrote: > > > The question boils down to "How does this automatic process know > > > it's you, and not someone else, turning on the computer?". > > > > Well, this is not entirely fair - a removed from server hard disk would in > > the scenario still remain locked and data inacessible. Similarily, for the > > removal of the server, say using an iButton or USB drive or similar that > > is needed to unlock the data but would be kept separately. > > Anything that doesn't require a human to intervene can be > subverted. If there are people with sufficient physical > access to the disk that it needs to have its contents > encrypted in the first place, then they have sufficient > physical access to put a breakout between the computer and > any serial or USB or other dongle you can name. > Similarily, humans can be subverted and one can point a camera at the keyboard or log the emissions from it, thus capturing the password. > > You could say have an expect script watching the serial console output and > > enter the key. > > And if you had sufficient physical access to the drive to > be able to read its raw data, then you have sufficient access > to capture the key entry by the other box by inserting a tap > and rebooting the box that needs the key on reboot. > So? > > Another way would be having the server establishing a ssh > > session to a machine to get the key. > > If the ssh is automatic, either because of symmetric key > distribution, or because your passpharase is blank... then, > again, it's easy to intercept the exchange. If it's safe > from this, then it requires a human to enter a passphrase, > and you are back to the original problem. > > > it really depends on what kinds of reasons the encryption > > is being used for and whats the spectrum of allowable tradeoffs. > > The only reason for an encrypted drive, since once you are > logged in, and have entered the password, the drive is not > crypted, is fear about someone else with physical access to > the drive. > Which is not at all the scanario (active attacker) you are describing as a proof that this is a stupid idea for all cases, even if it is meant to guard against accidental loss (misplaced box during office move or similar) or ;eak of sensitive information (patient records, whatever) as a result of a simple burglary. You might just aswell claim GEOM is useless because they could always torture the password out of you - both views are equally meritless. > -- Terry >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030515185823.X40030-100000>