From owner-freebsd-security  Wed Oct 10  5:24:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13])
	by hub.freebsd.org (Postfix) with ESMTP id C33C437B40E
	for <security@freebsd.org>; Wed, 10 Oct 2001 05:24:31 -0700 (PDT)
Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252])
	by male.aldigital.co.uk (Postfix) with ESMTP
	id 91FC16A1484; Wed, 10 Oct 2001 13:24:29 +0100 (BST)
Message-ID: <3BC43DFF.C356A86A@algroup.co.uk>
Date: Wed, 10 Oct 2001 13:24:31 +0100
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: xskoba1@kremilek.gyrec.cz
Cc: security@freebsd.org, Ben Laurie <ben@algroup.co.uk>
Subject: Re: "Rubbish" idea on security
References: <Pine.LNX.4.21.0110100829560.6104-100000@kremilek.gyrec.cz>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

xskoba1@kremilek.gyrec.cz wrote:
> 
> Has anyone ever thought about physicial stealing of server?
> 
>         I know I sound like pretty paranoid, but my question is. Is there
> any way to crypt all harddrive in the way, no one from outside will see
> anything from it. I mean, for example, that rebooting of server is going
> to be dependandt on connection from somewhere, that connection send a key,
> which is all the time only in memory and if someone decide to steal the
> harddrive, he has nothing unless he has a key.

this would be quite easy with cfs
(http://www.freebsddiary.org/encrypted-fs.php) - you'd need an
unencrypted boot that got you up far enough to run (say) sshd, then log
in and unlock the main filesystem and finish the boot. however, if the
thief knows that it's protected in this way, all they need to do is
maintain the power until they can copy the files. it would of course
provide good protection against opportunist or ram-raid style theft
though.

> 
>         And the second thing is concerning config or any files which are
> necessary to change to compromise server. The idea is the same, the
> changes
> are (probably by kernel) written into some temprorary area and only when
> private key is provided, changes are written on the right place.

a variation on the above.

> 
>         sorry if everything I told is too dificult or too stupid to be
> created.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
The Stores                    http://www.thebunker.net
2 Bath Road                   http://www.aldigital.co.uk
London W4 1LT                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message