On Mon, Sep 21, 2009 at 02:47:50PM +0100, Niall Murphy wrote: > ----- Jonas Meurer <jonas@xxxxxxxxxxxxxxx> wrote: [...] > That sounds ideal. However, i came across this so have some reservations. > http://www.howtoforge.com/unlock-a-luks-encrypted-root-partition-via-ssh-on-ubuntu > > It lists two types of attack to this approach: > > (1) ColdBoot Attack by reading the crypto password from the ram blocks > (not much you can't do against that without special hardware, see here) If you are worried abouy ColdBoot attacks, you need to increase physical server security. A ColdBoot attacks are not possible without access to the hardware and are generally not a concern except in special situations. They also need advanced skills. They are not expensive though if the hardware access is there. > (2) The created initrd can be manipulated so that it logs the crypto > password somewhere. As /boot is not encrypted an attacker may gain this > way the password for the LUKS-devices. You could, to prevent that, make a > bootable cd with the according kernels and initrds and implement some kind > of hash check... maybe there are other methods... feedback is welcomed > here. If an attacker gets this level of control, other things are possible. The CD is not really a solution, since the attacker could change the boot order and boot a changed version of the CD from HDD (for example). Basically the CD for a clean system is only reliable if no other writable storage media are accessible at boot time and a cold boot is ensured. Otherwise an attacker could also boot the CD into a virtual machine, with the obvious consequences. There are possibilities to fight this, e.g. a hard power-cycle every few hours and hardware that makes the HDDs unavailable until the CD has successfully booted. But I doubt that is an adequate solution here and it has drastic negative impact on reliability. Better just do a careful restrictive firewall configuration, and make sure your system is patched. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
