On Aug 2, 2009, at 4:00 PM, Arshad Noor wrote:

Jerry Leichter wrote:
does a server, built on stock technology, keep secrets that it can use to authenticate with other servers after an unattended reboot? Without tamper-resistant hardware that controls access to keys, anything the software can get at at boot, an attacker who steals a copy of a backup, say - can also get at.

Almost every e-commerce site (that needs to be PCI-DSS compliant) I've
worked with in the last few years, insists on having unattended reboots.

I penned a recent blog about this fact at

It discusses this fact and how it can be mitigated. Specifically, how wrapped keys can be escrowed, and used to boot a machine in, what I consider, a significantly more secure manner. Given that you can never guarantee a cloud provider can not tamper with you machine while running, this post describes the problem, a set of goals and one possible solution.

Encrypted Kernels are requirement. Geoff Arnold
suggested that an AMI that can boot an encrypted AMI may solve the issue. A harder, but possible solution would be to change the AMI's Grub loader without changing AWS's infrastructure. Anyone interested on working on a prototype :-)


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to