Andreas Hasenack wrote:
I thought about some stuff: - use something in the environment as the secret. Like some MAC addresses of the local switches and routers, some wireless SID, etc.
This is insecure. If someone has access to the machine (to steal it), this person will also be able to read out the data you use as secret.
- use a complex scheme with the password stored on a remote server which would, after a series of validations, connect back to the booting server to mount the fs for it.
You could use a server in your LAN which only accepts requests from the inside of this LAN and validates additional things like packet roundtrip time etc. before giving the secret to your host - but your attacker could just boot the machine before he carries it away and acquire the key by sniffing.
So if your attacker has more than a few seconds to mount his attack, the best solution would be to only give the secret if e.g. root has entered a password on the prompt of the validating server in the last n minutes prior to booting the machine with your crypto fs. If not, write a message to the syslog, sleep some minutes and try again, until root sees the server was involuntarily rebooted and gets around to entering that password on the other machine (which has to have better protection against theft than the machine you whish to protect via the crypto fs).
-- Dipl.-Verw.(FH) Sebastian Bork BNS Netzwerke & Sicherheit Ltd. http://www.bns-netzwerke.de/ Telefon: +49 (0)561 9 86 33 58 --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
