On Mon, Jan 24, 2011 at 11:22, Jeroen van Dongen <[email protected]> wrote:
> > Hello Thomas, > > > > as Jeroen already said, the problem with this is that if they steal only > the hard-drive, the data should be safe. Instead, if they steal the > whole > server (which is somewhat harder, but not impossible), they only need it to > boot and the BIOS would decrypt the data for the attacker. > > Hello Jonas, Thomas, > > Actually, I beg to differ. I've both heard of and experienced situations > where a server room was raided by criminals in which cases almost all > systems were taken - lock, stock and barrel. I've never heard of or > experienced situations where only the hard disk of a server was > removed/stolen (at least not in situations where the server was a production > server which was correctly housed in a purpose build server room). > Of course, if a server room is raided, most commonly criminals would take everything. "Hard-drive-stealing" would be more a case where someone sneaks into the server room and takes out the hard drives attempting to access sensitive information somewhere else. I don't know how often (if at all) this scenario occurs. I wanted to make the same point as you, that having the password stored in the BIOS would allow anyone with the server to start it, have the BIOS decrypt the hard drive and access the information. > > From that point of view, I would strongly advise against using any > technique where the credentials required for decrypting/accessing the > encrypted content are stored on the same system. I cannot fathom a serious > threat model in which case this concept offers significant levels of > security. In most cases if not all it will give a false sense of security, > the worst kind of all. > > A setup using Mandos in combination with LUKS would be preferable - > although in that case it would be advisable to have the Mandos server > located in another building from the actual servers. Otherwise there is the > risk of the Mandos server being stolen together with the server(s) it helps > secure. > > Rgds, > Jeroen > > > For the setup to be completely secure, the host acting as Mandos server would also need to have full disk encryption. Thus, if stolen, its contents would be unavailable (unless stolen while keeping it running, or extracting the Mandos data while it is running). Of course, as you say, it would be best to have the Mandos server on a separate facility (maybe having cross-facility Mandos servers, so the servers from facility A start using Mandos-server at facility B and vice-versa) . Best Regards, -- Jonás Andradas Skype: jontux LinkedIn: http://www.linkedin.com/in/andradas GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F 3F7F 4D87 9996 E0C6 9372 Keyservers: pgp.mit.edu | pgp.rediris.es
