From owner-freebsd-hackers@FreeBSD.ORG Thu May 15 14:38:02 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E423037B401 for ; Thu, 15 May 2003 14:38:02 -0700 (PDT) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id D478843F85 for ; Thu, 15 May 2003 14:38:01 -0700 (PDT) (envelope-from narvi@haldjas.folklore.ee) Received: from haldjas.folklore.ee (localhost [127.0.0.1]) by haldjas.folklore.ee (8.12.3/8.11.3) with ESMTP id h4FLbo6U093739; Fri, 16 May 2003 00:37:50 +0300 (EEST) (envelope-from narvi@haldjas.folklore.ee) Received: from localhost (narvi@localhost)h4FLbmTQ093736; Fri, 16 May 2003 00:37:48 +0300 (EEST) Date: Fri, 16 May 2003 00:37:48 +0300 (EEST) From: Narvi To: Terry Lambert In-Reply-To: <3EC35ACB.BFA5DE86@mindspring.com> Message-ID: <20030515185823.X40030-100000@haldjas.folklore.ee> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: hackers@freebsd.org cc: Stalker Subject: Re: Crypted Disk Question X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 21:38:03 -0000 On Thu, 15 May 2003, Terry Lambert wrote: > Narvi wrote: > > > The question boils down to "How does this automatic process know > > > it's you, and not someone else, turning on the computer?". > > > > Well, this is not entirely fair - a removed from server hard disk would in > > the scenario still remain locked and data inacessible. Similarily, for the > > removal of the server, say using an iButton or USB drive or similar that > > is needed to unlock the data but would be kept separately. > > Anything that doesn't require a human to intervene can be > subverted. If there are people with sufficient physical > access to the disk that it needs to have its contents > encrypted in the first place, then they have sufficient > physical access to put a breakout between the computer and > any serial or USB or other dongle you can name. > Similarily, humans can be subverted and one can point a camera at the keyboard or log the emissions from it, thus capturing the password. > > You could say have an expect script watching the serial console output and > > enter the key. > > And if you had sufficient physical access to the drive to > be able to read its raw data, then you have sufficient access > to capture the key entry by the other box by inserting a tap > and rebooting the box that needs the key on reboot. > So? > > Another way would be having the server establishing a ssh > > session to a machine to get the key. > > If the ssh is automatic, either because of symmetric key > distribution, or because your passpharase is blank... then, > again, it's easy to intercept the exchange. If it's safe > from this, then it requires a human to enter a passphrase, > and you are back to the original problem. > > > it really depends on what kinds of reasons the encryption > > is being used for and whats the spectrum of allowable tradeoffs. > > The only reason for an encrypted drive, since once you are > logged in, and have entered the password, the drive is not > crypted, is fear about someone else with physical access to > the drive. > Which is not at all the scanario (active attacker) you are describing as a proof that this is a stupid idea for all cases, even if it is meant to guard against accidental loss (misplaced box during office move or similar) or ;eak of sensitive information (patient records, whatever) as a result of a simple burglary. You might just aswell claim GEOM is useless because they could always torture the password out of you - both views are equally meritless. > -- Terry >