On Sun, Jun 27, 2010 at 04:28:35AM +0200, Christoph Anton Mitterer wrote: > On Sun, 2010-06-27 at 01:34 +0200, Arno Wagner wrote: > > Hmm. You know, encrypted root is a problem and pretty difficult > > to do in the rfirt place. Why not just encrypt the critical > > parts, like /var /home /root? The rest only holds binaries > > and config files anyways, which are not that sensitive... > They're actually very sensitive, against compromise "when I'm not there" > and the device is e.g. shut down (or even running). For running, I recomend looking up physical memory freezing. It allows you to cool down the memory, pull the pwer plug and read the complete memeory contents up to a few minutes later on an external device. The keys are in there. For not running, there are numerous ways to still attack the system. > An attacker with access to my device could easily add e.g. a rootkit > when I'm not there, which just waits until I once decrypt the "important > stuff" and sends the key/data back home. The current consensus in much of the security community is that if an attacker has that level of physical access, you are screwed anyways. > dm-crypte largely protects you from this. Only against very low-powered attackers. Against these I reccomend a better lock on the door. > Even if it doesn't give you > mathematical integrity/authenticity, it's still very difficult for an > attacker to do reasonable attacks (other then destroying your data) > because he neither know where to change, nor to which value. There are all kinds of possibilities to install keyloggers and other malicious software. Your kernel, for example, cannot be encrypted. Keyloggers in all sizes and shapes, including inside your keyboard can be installed. Other things can be done. Face it, you are using the wrong tool if protection against manipulation with physical access is your goal. For that I would recommend a safe that is intended to have a PC running inside it. Not too cheap, but tamper-obvious. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
