Date: Sat, 25 Aug 2012 02:12:01 -0700 From: Xin Li <delphij@delphij.net> To: brouci tykadylko <brouci.tykadylko@seznam.cz> Cc: d@delphij.net, freebsd-geom@FreeBSD.org Subject: Re: geli remote password entering Message-ID: <503896E1.9000203@delphij.net> In-Reply-To: <3094.176.373-2311-1566486531-1345882861@seznam.cz> References: <3094.176.373-2311-1566486531-1345882861@seznam.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 8/25/12 1:21 AM, brouci tykadylko wrote: > Useful idea, but in this stage it's quite to late for real > paranoic. If you consider logfiles as sensitive data. There are some problems with my approach but I'm not particularly concerned with logfiles. This really depending on how you store /var. It is still possible to mount it after geli initialization and no, there is no such thing 'logfile' since syslogd is not started at that point. Moreover I'd say if you really worry about logfile, it should not be stored locally but to a dedicated remote log server which have its logon interface locked down inside a VLAN, and the system should have only append access to that server and nothing else. > Linux obviously CAN do that. It has some early_ssh, bropbeard ssh > daemon loaded from initramdisk for purpose of entering password > for LUKS. Well, this *is* early_ssh -- similar idea but without a duplicated copy of sshd, etc. where you have two daemons and two files to worry about. Of course, the current version does not do logs but it's possible to do it locally or remotely with very simple tweaks by starting syslogd with a alternative boot-only configuration profile. It would be interesting to implement initrd alike feature in FreeBSD, however, but it's not totally impossible to do similar thing "right now"-ish by using a mdroot while having it chroot into the new / with devfs and friends mounted, it's like a kluge but still do-able. > Still didn't find any satisfactory solution for FreeBSD. > > >> ------------ Pôvodná správa ------------ Od: Xin Li >> <delphij@delphij.net> Predmet: Re: geli remote password entering >> Dátum: 24.8.2012 20:44:56 >> ---------------------------------------- > On 08/24/12 04:16, brouci tykadylko wrote: >>>> Thinking about encrypting everything except /boot by >>>> geli(+zfs). Since server is remote, there is a problem with >>>> entering the key after restart. There is a possibility of >>>> KVM at datacenter, but I don't want to bother with it upon >>>> every reboot, and not speaking about possibility of remote >>>> interception. My idea so far is to use RAMdisk image with >>>> bare ssh like DropBear (like here: >>>> http://www.webgroup.ch/linuxtag2006/Paper.pdf), but i still >>>> didn't try. Dream solution is a bootloader with a ssh >>>> interface, but I didn't hear about any for fBSD. Did any of >>>> you try something similar? Or do you have any other idea? > > I have posted something with similar idea here: > > http://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html > > > But this is different -- you can't have only /boot unencrypted > because it requires / and /usr be available at very early boot > time. Personally I'm not quite concerned with / unencrypted -- you > could reveal /etc/master.passwd in the worst case but sensitive > data can be stored in encrypted partitions. > > Cheers, >> >> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iQEcBAEBCAAGBQJQOJbhAAoJEG80Jeu8UPuz1K4IALOLWSDHgOnOr0ei738yzmA4 tIjNnpdtt2yOG4bjXfyfZbN10i4DqJ6vb5rHuHkfSzWVMl+1ITacmC4zPnKT5SdZ 3j6E8t1EqJPLABYgzdiASgG2h2xyYBC7gGp3Q/wDQwuIXMRwVpQHpz1jW9qYDOjO cXzurms3r3THhtsLNq3wGoKKLKL72db7zylygjCQSF+OlQsAWU2mgeip7HKenMJY OYRkxQi4vIKWpaDW40NaLiOcljzpT2BlyxamP/CVgj7gYIjc+390dBX/Dq8CnZ/b AJUD6i6fULsfUc4iMgyJbr5JKWe1TVStCbGceN9+Gtqfp8wKhFr0mkHeiJbeLB4= =TBcX -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?503896E1.9000203>