On Sun, 01 Nov 2009 20:19:46 +0000 Magnus Therning <magnus@xxxxxxxxxxxx> wrote: > On 01/11/09 15:06, Karol Babioch wrote: > > Hi, > > > > I'm wondering whether there is a possibility to encrypt a remote > > system using Arch Linux? I have installed Arch on a remote server, > > and don't like the idea that anyone with physical access to my > > system has access to my data. So is there something I can do about > > it? > > > > Using dm-crypt (with luks) doesn't work at all, as I can't input the > > passphrase when I reboot my system, the technician would really > > hate me if I ask them to attach a remote console each time I reboot > > my system. > > > > So is there anything I can do? > > AFAICS there is *nothing* you can do against someone with physical > access. Encrypting the disk will only protect it while it's at rest, > as soon as you've booted the system you're back to the situation > where you have to trust the physical hardware, network, etc. > > I assume you're talking about encrypting the *entire system* (as > opposed to just your home directory, since that would be obviously > without any effect at all). Given that, out of curiosity, how do you > plan on getting the password to the remote system at boot time? > > /M > 1) if your server supports it, you could use IPMI serial-over-lan 2) you can encrypt your / or /home, there are ways to have the early userspace start an ssh daemon so you can connect it. 3) if you're really paranoid: somebody could overwrite your bios/bootloader/early userspace and sniff your password when you enter it (remotely). 4) and then there is what Magnus said. (IIRC ipmi SOL is plaintext) Dieter
