From owner-freebsd-questions@freebsd.org Mon Aug 6 13:50:31 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AFEC810595F8 for ; Mon, 6 Aug 2018 13:50:31 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 11ACC79163 for ; Mon, 6 Aug 2018 13:50:30 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de ([92.195.64.203]) by mrelayeu.kundenserver.de (mreue105 [212.227.15.183]) with ESMTPA (Nemesis) id 0MGi3N-1fiZIm3XFZ-00DUgl; Mon, 06 Aug 2018 15:50:17 +0200 Date: Mon, 6 Aug 2018 15:50:16 +0200 From: Polytropon To: galtsev@kicp.uchicago.edu Cc: "thor" , freebsd-questions@freebsd.org Subject: Re: Erase memory on shutdown Message-Id: <20180806155016.8214e603.freebsd@edvax.de> In-Reply-To: <59554.108.68.162.197.1533522663.squirrel@cosmo.uchicago.edu> References: <20180805150241.1E186200349F8E@ary.qy> <4e70e969-14f7-c65d-96d2-dd1610499cd0@irk.ru> <63033.108.68.162.197.1533484522.squirrel@cosmo.uchicago.edu> <20180806073738.6f459398.freebsd.ed.lists@sumeritec.com> <57043.108.68.162.197.1533514207.squirrel@cosmo.uchicago.edu> <5f673fdc-4dd8-663a-605a-6b7cdce5206d@irk.ru> <59554.108.68.162.197.1533522663.squirrel@cosmo.uchicago.edu> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:YaqP9Le4ilrP0vSB22UhIEIzaEhf4wqdvzzT/CzpLJm+aWcA7/f a0JAGpQeV5iCZWLrLclis4KQK75Dj8C0BlRGK0cqp761ej51PWMSFoKYYOWq5NOzUIYb06n xQCZ89oEi0ulfQgmqbqZ6nhD3gA0s+PdesyouIjMgWNoi9wi2U8/D63Ph6uhvdkntNawUds 98iHi2MvHEAxWvqV/2m8A== X-UI-Out-Filterresults: notjunk:1;V01:K0:OaIxjRML3AM=:wRy2DLmdvxZVzxwxMmqi9v tnxUoNC44A4bu6yrnKoRc8wciy4FeAJkHVmQ3McE0TB2Z5dh8yoMFgOHkW+5FH5BdD6eop9MZ Hu1NGWUtsnpeHxzu6NzIx2Of9rZYlJi6noow5aO51Fmz7/ydzqpnOaug5Atltao7AhdzgpnlJ YBHpsy2zH8aukPIhDEaL76zUqE5r4K21N9W2/bTco/SvF3dfu7we8QpmhvfIa9C/rxLyFRSyj RUnxS3vNPucQECne37oXfL5JJ+Xhu8F1Blp9thP4cqMYkrjJ2y3G4ykltuih7L/3FPSpJrdyQ mCBw40A0487ERP/IJBFVkVptAStwdXnO+zOyBhX2IANjsj2wDzhX3YaPuFm+Ckd6hGXveUOyA 18a8qpKahDp65FU34qykXuvHRoKk/6Sixv6hVqzW+PXCOfPRoX+EDqQynMreVZlw3A6c1GQ5R Wyipx+1p3fHtap6f9lrHMPtNf9aSIWoLwHxMH7uYqSHCrWsLI61n8tR0rq6l4E28RB/BTF4Wo pcjiJiIlyeDOxtIUlgRi5NFWLTT0gzXbAZ18DVch4i/kZ9LBf4rSkKh4UNcg11lhkgB0o8Gkl ijrp6tr1meRA7Xsum5BelLM898FcJGDDhHMGkWVukhSznxNik2Rd5Cc5RtkfK7krP+HFkGelE gukCYZgKYTTIGC6UkyoVwo4tHrqnyWKfeN19ezNV4cZY9mEqz72JFWhVLWNmBGhjwizhuzus+ zE3dDCWxQg8Ky1D0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2018 13:50:31 -0000 On Sun, 5 Aug 2018 21:31:03 -0500 (CDT), Valeri Galtsev wrote: > Yes, it was repeated forever that security begins with physical security. > And repeating again what my friend likes to say: nothing can stop the guy > wit the screwdriver. Not quite true, but pretty close. In this context, even encrypted partitions sometimes don't help. Things that actually have happened: 1. A thief stole the server of a small business. They had encryption in place, and because their HPC told them that keys should be used, they stored keys on a USB stick that was put in the font USB connector of the server, because their HPC said it was very convenient to do so, as the server found the keys when booting and could then enable access to the encrypted disk. GAME OVER. 2. A group of theves stole the whole server rack, including the UPS units, attached them to a power generator in their van, drove it to the "extraction site" which had regular power, re-attached regular power, and copied everything from the still running system without being hit by any "please enter the password" dialogs. GAME OVER. The guy with the screwdriver usually wins. ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...