Mike Noyes wrote:
> Everyone,
> Do we gain anything by encrypting the device leaf is installed on?
>
>         Example: kernel 2.6 on usb-hdd flash drive encrypted with
>         cryptsetup or dm-crypt.
>         
>   

Its actually something that could be useful. In some situations it can
be hard/impossible to physically secure the computer good enough. When
the OS (and the passwords) are all stored on a floppy, it is relatively
easy to remove the floppy, make a copy of it at home and reinsert it
again without anyone noticing anything. Then you have time to decrypt
the passwords at home (until next time the password is changed)

If the device where /etc/passwd or /etc/shadow is encrypted, its harder
doing things like that. (I have actually seen homemade installers that
create a file with the default password in clear text on the floppy...)

But the OS and software itself is available on internet so there is
generally no need to encrypt that.

Other things that probably is more interesting is when you have a data
disk connected to your box and run some kind of service
(samba/nfs/ldab/sql/torrent/whatever) where the data is encrypted. Run
The OS from USB and have only your data storage on disk, encrypted with
dm-crypt. When the police/dictator government/employer/parents/<enter
your favorite fear here> comes running into your house, you just grab
your usb stick, unplug the power to the server (please remeber to unplug
the correct cable if you use UPS) and jump out of the window (or eat
your cyanid pill - but them please remeber to destroy the USB stick
*before* you take the pill). When they examine the disk(s) afterwards it
pretty difficult to find out what was on the disk or if there were
anything at all.

But that kind of things is normally not for normal people. :-)

> Just something I've been thinking about since I started mentioning 2.6
> and usb-hdd. I'm probably off on a useless tangent again. :-(
>   

Its important that people can feel free to through out new ideas, even
if not all are good. Using dm-crypt (or other dm-devices) is actually an
interesting topic. I have been thinking of file/web/database/DNS servers
where the OS is booted from cdrom or usb into ram (LEAF style) and with
a data disk mounted for the data.

This has a few interesting benefits: you prefetch all the services to
RAM = super fast reponse times. (you might need more RAM but with tmpfs
its not much space wasted) Easy to install. If you need to move to
another hardware, just unplug the usb/cdrom and put it in new hardware
and you are more or less up and running again.

Of course there are interesting combinations with dm-crypt and stuff
like that, like mentioned above.

However, I believe that falls outside the scope of uclibc-bering - with
good reasons.

More realistic interesting things with 2.6 kernel is the new ipsec stack.
http://www.shorewall.net/IPSEC-2.6.html


--
Natanael Copa


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to