RE: [rhelv5-list] Protect my stolen disk

Zavodsky, Daniel (GE Money) Mon, 21 Jan 2008 23:38:04 -0800

        Yes, I meant exactly that. The attacker (after discovering the
decryption mechanism) would need to boot the machine from some other
hard disk (supposedly other boot options disabled in BIOS and password
protected as has been suggested), get the CPU serial number and then use
that to decrypt the file system. While this is doable, I think it is
enough for the original poster who did not want to make it impossible
but "hard" to get the data.
        Of course if you wanted it to be really secure, you would have
to bring the decryption key (and passphrase in your head) on a removable
media to the site and then boot with that. The question is just what is
worth more - your time or your data.


Daniel


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Edgecombe
Sent: Tuesday, January 22, 2008 12:06 AM
To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list
Subject: Re: [rhelv5-list] Protect my stolen disk

Tom Sightler wrote:
> On Mon, 2008-01-21 at 14:06 +0200, Ahmed Kamal wrote:
>   
>> That's cool. I guess the real issue is when booting the system and 
>> decrypting. I guess we would need to change some initscripts ? to do 
>> the same
>>     
>
> How exactly will this help if you don't dynamically pull the 
> encryption key during boot?  If you just hard code the encryption in 
> the initscript on the boot disk then someone stealing the disk still 
> has all the information required to decode the data, and trivially at
that.
>
> Of course you could modify your init scripts to parse out some unique 
> piece of information out of the system to use for the encryption key 
> (like maybe the UUID or system serial number from dmidecode) but isn't

> someone just as likely to steal the entire hardware as just the disk?
>
> Later,
> Tom
>   
I think the implication was to dynamically pull the serial for
production use while hard-coding the pre-recorded serial number for
service or recovery purposes.

Jason

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list



_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

RE: [rhelv5-list] Protect my stolen disk

Reply via email to