From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 12:07:15 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E74216A400 for ; Mon, 13 Mar 2006 12:07:14 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51904.mail.yahoo.com (web51904.mail.yahoo.com [206.190.48.67]) by mx1.FreeBSD.org (Postfix) with SMTP id E3D4E43D45 for ; Mon, 13 Mar 2006 12:07:13 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 7526 invoked by uid 60001); 13 Mar 2006 12:07:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=KIs6/cI/3+mmRXm6FldeNHSV+jCiEX4uxz+sC+d/1gkql67M6AIWer7Qu/48Mh+mZU1kXokkm99Sg4sp+fR5Yd3X5t48I6xZw7+22XLaRDhisksYaHigwhttAssFBb6eplCKixNIj22o2ff+HZarXzHFtujMtLy7Xb3H3xDyBZM= ; Message-ID: <20060313120713.7524.qmail@web51904.mail.yahoo.com> Received: from [212.118.13.163] by web51904.mail.yahoo.com via HTTP; Mon, 13 Mar 2006 04:07:13 PST Date: Mon, 13 Mar 2006 04:07:13 -0800 (PST) From: Peter Thoenen To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: m.schiesser@quantentunnel.de Subject: Complete GBDE / GELI encryption for systems without removable local boot tokens (aka USB drives) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 12:07:15 -0000 Speaking of GELI / GBDE. I was reading Marc's excellent paper on Complete harddrive encryption for FreeBSD using GBDE/GELI and the problem I have is it all depends on a bootable removable token that can by physically secured. While an excellent solution for laptop / desktop users it just doesn't work with a remote colo users. No way you can physically remove your unsecure boot token or at least not remove it and hope to recover remotely from a panic / reboot / failure in a timely manner. Anybody have any ideas on a solution how to do this with a colo'd server. Ideally you could, during boot, send some token (or lock file) via ssh or other secure method but boot does not currently support this. Other ideas considered and thrown out: - Boot your system as you would a headless system. The problem is how do you securely get your unsecure boot image from A to B (as it contains your keys and lock files). This fails as some local attacker could just stick a hub between your boot server and server and pull your unsecure image during a reboot. - Intel's secure boot (forgot what the tech is called, want to say PXE). Doesn't work as this only verifies the images checkum. Sure we know the image wasn't tampered with but the attacker still has your keys. Cheers, -Peter