Date: Thu, 16 Sep 2004 12:30:01 -0500 From: Frank Knobbe <frank@knobbe.us> To: Bruce M Simpson <bms@spc.org> Cc: hackers@freebsd.org Subject: Re: Booting encrypted Message-ID: <1095355800.530.24.camel@localhost> In-Reply-To: <20040916032406.GC7413@empiric.icir.org> References: <200409072022.i87KM7Kf049770@wattres.Watt.COM> <20040916010317.GN1001@straylight.m.ringlet.net> <Pine.BSI.4.58L.0409151855130.8383@vp4.netgate.net> <20040916032406.GC7413@empiric.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-C+CVKfCfJpSD0IokEevN Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2004-09-15 at 22:24, Bruce M Simpson wrote: > Using TCPA, you could lock down your device in this way, and extract the > symmetric key for the media from nonvolatile secure storage on the chip > once the OS has logged into it. Of course you'd have to sign the OS image > in such a way that booting it unlocked the secure storage.=20 Yes, TCPA offers solutions for that. But they might be overkill for what he wants to accomplish. Having the key in the boot loader will do what he wants -- prevent someone booting from a CD and mounting the drive. But the key on the encrypted media itself (in the boot loader) is bad practice. Hence the idea of fetching it from hardware. Sure, it is still possible to break the systems (by booting a CD, reading the CPU ID, or VGA S/N, or whatever is used, and manually decrypting the drive). But it presents a significantly higher effort, while still not dependent on TCPA ready hardware and all the (key) management stuff that comes with it. Call it a poor-mans TCPA :) It's a balance, an in-between. For real security, choose TCPA. For good-enough security, this solution may work better. All depends on the level of paranoia present :) Cheers, Frank --=-C+CVKfCfJpSD0IokEevN Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBSc2YJjGc5ftAw8wRAtFaAKD06WTs28llxev5p52SJYUsj5sxAQCfa4A4 bAujvUEKzFxm3n/zfnXJt+w= =Lxbo -----END PGP SIGNATURE----- --=-C+CVKfCfJpSD0IokEevN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1095355800.530.24.camel>