On 2011-10-11 21:04 , [email protected] wrote: > On 11/10/11 19:34, Jeroen Massar wrote: [..] > Regarding your comments on keys being stored in RAM on crypto > filesystems, I have a working solution for that too. My Ubuntu laptop > uses full disk encryption, but the key is shifted from RAM into the > debug registers of the CPU as soon as it starts booting, and all crypto > operations are performed directly on the CPU without the key being > transferred back into RAM, using the CPU's AES-NI instructions.
While that indeed solves (at least makes it really hard to get to it ;) the problem of they keys in memory/cpu-regs, it, at least from what I can see now, does not solve the problem that if a process which is allowed to do read/write operations on your fully encrypted disk to read that data when somebody has compromised that process. One thing to keep in mind. Your mail-directly-PGPd setup does not have that problem. > This > prevents the key being exposed during cold boot attacks. To achieve > this, I patched my kernel using something called TRESOR. For more info > see: > https://grepular.com/Protecting_a_Laptop_from_Simple_and_Sophisticated_Attacks Gotta love the part about diving with a USB stick, now I just have to get one of those to try out if it survives at least 50m ;) But why don't you then just use only that USB stick instead of the SSD? Though of course the SSD is quite a bit faster, they have 16GB 3.0 editions and 64GB USB2 versions which should mostly be sufficient and half the space of the SSD in the box. [..] > Another possibility would be to have a mail server as a hidden service, > and then just set up the Internet facing server to immediately forward > all incoming email to the hidden server via Tor. And presto, everything is safe. And in a similar way one could setup a Gmail account and have a hidden service use the Tor network to exit to gmail and poll it over IMAP to fetch the email, find the mail store then ;) Greets, Jeroen _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
