Sorry for the duplicate, Cpp. I meant this to go to the list. But physical access was always a problem (of the same magnitude), wasn't it? Consider an attacker modifying initramfs so that your password entered into cryptsetup is sent to a remote server, then used to unlock your luks device. Isn't that of equal likelihood? Sent via BlackBerry -----Original Message----- From: Cpp <tzornik@xxxxxxxxx> Sender: "dm-crypt" <dm-crypt-bounces@xxxxxxxx>Date: Wed, 15 Oct 2014 08:49:54 To: <dm-crypt@xxxxxxxx> Subject: Re: LUKS disk encryption with remote boot authentication Thanks for the hints. Yeah, the main reason I wanted to implement something like this is to avoid having to boot up each and every device individually after a power cut. Most of my devices use disk encryption by default, let it be a desktop computer, a laptop or an embedded board like Raspberry Pi, Cubieboard, Beaglebone, etc. But after thinking about it for a while, I can't see a way how to securely implement this. I mean even if I were to SSH to the device, I'd still have no indication whether or not it was modified by an intruder, so physical access is a real problem. The only way I can think of is to equip all devices with physical protection circuitry, and have them running 24/7 - each and every device would need an UPS (uninterruptable power supply). Regards! On 10/14/14, Arno Wagner <arno@xxxxxxxxxxx> wrote: > On Tue, Oct 14, 2014 at 23:16:24 CEST, Jonas Meurer wrote: >> Hi Cpp, >> >> Am 14.10.2014 um 13:42 schrieb Cpp: >> > I'm interested in a solution for devices with LUKS disk encryption >> > that use a remote server to securely obtain a decryption key upon >> > boot. Let me elaborate: Suppose I have an embedded device i.e. >> > Raspberry Pi with an external USB HDD or maybe a Cubieboard with a >> > SATA-attached disk. The rootfs is located on an encrypted partition on >> > the disk that has to be decrypted before the OS can boot. The boot >> > partition is located on an unencrypted NAND/SD partition. >> > >> > Normally a modern linux distro will ask the user to type in the >> > password via a keyboard upon boot, if disk encryption is being used. I >> > am however interested in setups where this decryption key is obtained >> > securely (TLS?) from a remote (secure) server via LAN. >> > >> > Are there any known setups like this that I can take a look at? >> >> Debian and Ubuntu cryptsetup packages (at least, I don't know about >> other distributions) support remote unlocking in initramfs. It works the >> following way: the dropbear ssh server ist started in initramfs, you ssh >> into the initramfs and unlock the root partition, afterwards the boot >> process is continued. See section 8. of README.Debian in the >> distribution packages[1] for further information. > > Nice! For remotely-triggered unlocking, that is a good solution. > > Arno > > >> Cheers, >> jonas >> >> [1] or: here >> http://sources.debian.net/src/cryptsetup/2:1.6.6-2/debian/README.Debian/#L202 >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 > ---- > A good decision is based on knowledge and not on numbers. -- Plato > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
