From owner-freebsd-security Wed Oct 10 5:19:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42]) by hub.freebsd.org (Postfix) with ESMTP id 208C537B407 for ; Wed, 10 Oct 2001 05:19:53 -0700 (PDT) Received: from magrat.office.easynet.net ([195.40.3.130]) by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1) id 15rIKc-0006Iv-00; Wed, 10 Oct 2001 13:19:26 +0100 Received: by magrat.office.easynet.net with Internet Mail Service (5.5.2653.19) id ; Wed, 10 Oct 2001 13:19:25 +0100 Message-ID: <7052044C7D7AD511A20200508B5A9C5851688C@magrat.office.easynet.net> From: Lee Brotherston To: "'xskoba1@kremilek.gyrec.cz'" , security@freebsd.org Subject: RE: "Rubbish" idea on security Date: Wed, 10 Oct 2001 13:19:19 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | I know I sound like pretty paranoid, but my question | is. Is there | any way to crypt all harddrive in the way, no one from | outside will see | anything from it. I mean, for example, that rebooting of | server is going | to be dependandt on connection from somewhere, that | connection send a key, | which is all the time only in memory and if someone decide to | steal the | harddrive, he has nothing unless he has a key. | | | And the second thing is concerning config or any files which are | necessary to change to compromise server. The idea is the same, the | changes | are (probably by kernel) written into some temprorary area | and only when | private key is provided, changes are written on the right place. | | sorry if everything I told is too dificult or too stupid to be | created. It might be worth checking out http://www.rubberhose.org - I've not actually used it myself, so I can't offer any personal experience, but I've seen good things posted about it. It was designed to allow deniability about the levels of encryption on the drive (Encrypted data and random noise are not discernable from each other), but could be used to hold important data I suppose. Similarly holding the configs on here might be possible. The FreeBSD kernel module is said to be nearing completion. Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message