Dirk Heinrichs wrote:
On Thu, 1 Jun 2006, ext Luke Scharf wrote:The solution that most people in your situation would use would be to put the key on a USB flash drive, which then resides on your physical keychain (the one that rides around in your pocket).So you need human assistance for booting, anyway. At this point you can simply use a passphrase (even multiple ones for multiple admins) and don't bother with protecting the keyfile on the USB flash device.
Or, better yet, you can require a memorized passphrase to encrypt the keys on the USB disk and have 2-factor authentication. Personally, I'd rather memorize the key, since I'm currently better at remembering codes than I am at keeping track of physical objects.
The core of what I'm trying to communicate to the OP that if the machine will boot automatically, them the keys are on the machine, which means that anyone who knows how the encryption key works can unencrypt it trivially.
-Luke
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
