On Sun, 30 Sep 2018 20:03:41 +1000
Andrew McGlashan wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hi,
>
> On 30/09/18 16:44, deloptes wrote:
> > Celejar wrote:
> >
> >> But grub itself and its configuration can't be encrypted, so an
> >> attacker could still compromise that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
On 30/09/18 16:44, deloptes wrote:
> Celejar wrote:
>
>> But grub itself and its configuration can't be encrypted, so an
>> attacker could still compromise that code / data. IIUC, your
>> solution basically just implies moving some of the
Celejar wrote:
> But grub itself and its configuration can't be encrypted, so an
> attacker could still compromise that code / data. IIUC, your solution
> basically just implies moving some of the logic currently in the
> initramfs into grub.
>
Yes, this is the point I am making.
> One
On Thu, 27 Sep 2018 17:54:26 +1000
Andrew McGlashan wrote:
...
> The biggest weakness with the Dropbear setup is that the initramfs is
> stored on an unencrypted partition (no matter which file system is
> used). That means that someone with physical access can rebuild the
> initramfs and
On Fri, Sep 28, 2018 at 1:32 AM deloptes wrote:
> Andrew McGlashan wrote:
>
> > The biggest weakness with the Dropbear setup is that the initramfs is
> > stored on an unencrypted partition (no matter which file system is
> > used). That means that someone with physical access can rebuild the
>
Andrew McGlashan wrote:
> The biggest weakness with the Dropbear setup is that the initramfs is
> stored on an unencrypted partition (no matter which file system is
> used). That means that someone with physical access can rebuild the
> initramfs and include their own key as well as other stuff
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 27/09/18 03:17, Jonathan Dowland wrote:
> On Wed, Sep 26, 2018 at 06:14:42PM +0200, deloptes wrote:
>> so how can we do it with initram and without some external key
>> server? Imagine I have only boot not encrypted on the server. I
>> want to
Jonathan Dowland wrote:
> What you describe is exactly how the dropbear/initramfs integration
> works. The data stored in /boot is the initramfs, and within that, the
> only material you might consider sensitive is an SSH server keypair
> (public) for the SSHD instance in the initramfs
On Wed, Sep 26, 2018 at 06:14:42PM +0200, deloptes wrote:
so how can we do it with initram and without some external key server?
Imagine I have only boot not encrypted on the server.
I want to boot the machine and get a prompt via SSH or something like SSH,
where I can type in the password and
Igor Cicimov wrote:
> An example for automation with AWS using SSM and KMS services
>
https://icicimov.github.io/blog/server/LUKS-with-AWS-SSM-and-KMS-in-Systemd/
> It can be modified for initramfs.
so how can we do it with initram and without some external key server?
Imagine I have only boot
On Wed, 19 Sep 2018 12:58 pm Andy Smith wrote:
> Hello,
>
> On Mon, Sep 17, 2018 at 08:00:50PM +0200, Pascal Hambourg wrote:
> > Le 16/09/2018 à 00:39, Andy Smith a écrit :
> > >
> > >The obvious problem there is an attacker who gets hold of the
> > >initramfs in order to be able to use the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 09/19/2018 02:57 AM, Andy Smith wrote:
> For sophisticated attackers who could do the clever thing, and had
> physical access to the server for enough time, it would be simpler
> to get a key for an encrypted file system by using hardware
Hello,
On Mon, Sep 17, 2018 at 08:00:50PM +0200, Pascal Hambourg wrote:
> Le 16/09/2018 à 00:39, Andy Smith a écrit :
> >
> >The obvious problem there is an attacker who gets hold of the
> >initramfs in order to be able to use the credentials to request the
> >passphrase themselves.
[…]
> >
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
On 18/09/18 04:15, deloptes wrote:
> I wanted to have a look at this link, that someone mentioned:
> https://hamy.io/post/0009/how-to-install-luks-encrypted-ubuntu-18.04.x
- -server-and-enable-remote-unlocking/
>
>
It seems to address the
Pascal Hambourg wrote:
> How dos this address the above concern ?
IMO this is not applicable when my server has to use encrypted root, which I
would be able to decrypt via SSH at boot.
The question is what do I gain when boot is not encrypted and I have there
my SSH key and password and so on.
Le 16/09/2018 à 00:39, Andy Smith a écrit :
The obvious problem there is an attacker who gets hold of the
initramfs in order to be able to use the credentials to request the
passphrase themselves. For those who wanted to get more elaborate
(and more likely to mess up and leave their server a
Hello,
On Sat, Sep 15, 2018 at 11:52:01PM +0200, deloptes wrote:
> I also wish I knew how to get ssh into initrd and the whole networking, so
> that I could do it remotely when needed.
I've never done it myself, as I have IPMI access to anything I care
about, but it appears to be as simple as
17 matches
Mail list logo