On Mon, 2016-02-08 at 08:47 -0800, Julien wrote: > Hello, > > I up the post, nobody has a solution for encrypting an image ? > > I see more solution for the raspberry but i don't find a same > solution for BBB...
I'm not sure what solution would work for the pi that can't also be used for the BBB. > > I tested with encfs but the password must be typed or in a script. > For automount folder at startup this is not secure. And i think with > encFS a personne can boot with µSD card and find the ssh/encFS > passwords on eMMC... You should know that anybody can walk up to any BBB, overwrite the MLO and boot their own image. The SoC doesn't verify the boot image. What's your threat model? Are you worried about people having physical access to the BBB? Then perhaps put it in a tamper evident/responsive container. Otherwise, yes, you hold the USR_BOOT button and boot from the SD card. Does the application need an automated way to get the key to unlock the file system? Can it get the key from a server? from a human? Otherwise, you need to store/derive the key somehow on the BeagleBone. You can use a TPM to store a LUKS encrypted key ( http://sourceforge.net/p/trousers/tpm-luks/ci/master/tree/). If somebody did boot from the sd card, and if you have a TPM enabled uBoot and application, then hopefully the PCR on the TPM will be different and the LUKS key won't be accessible. It's a big rube-goldberg machine of sorts, but it will make the attacker's (and your) life more complicated, which is an added layer. I made this thing with SparkFun, maybe it will help if you decide to go that route: https://www.sparkfun.com/products/12773 > > Thanks. > > Best Regards, > Julien. > -- For more options, visit http://beagleboard.org/discuss --- You received this message because you are subscribed to the Google Groups "BeagleBoard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
