[Novalug] encryption at rest on a virtual server for a virtual drive

greg pryzby greg@pryzby.org
Tue Sep 10 19:39:23 EDT 2013


This is the meat problem (Rob Jenson).

If a human is NOT required, you don't have security. No matter how
many levels of encryption, scripts, obscurity, if I don't require a
human to enter the key/passphrase/whatever, the solution is NOT
secure. If someone gets access, the data is at risk.

So there is no real value of using a key read from somewhere to
decrypt a drive on boot. Unless I am worried about someone REMOVING
the drive w/o looking at the process used to boot/mount.

I don't see any value and just complexity which makes people hate security.


On Tue, Sep 10, 2013 at 7:31 PM, Christopher Jones
<christopher.donald.jones@gmail.com> wrote:
> If I encrypt a volume but also create a key file to unlock it when the
> system boots.
>
> What does this possibly do for me?
>
> Firstly what are the chances a virtual drive will be stolen?
> Second if the user had access to that and the server (single user mode)
> (which they can't get anyway without there being way bigger issues at the
> network level) they would be able to eventually find the key and use it to
> unlock the drive.
>
> What am I missing here?
>
> I see the benefit on a desktop or a laptop where I can require a password to
> access the drive but just don't get it for this particular case.
>
> --
> Chris Jones
> RHCSA
>
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>



-- 
greg pryzby                              greg at pryzby dot org
http://www.linkedin.com/in/gpryzby

TWTR: gpryzby
WEB:  http://www.MakeRoomForArt.com/
BLOG: http://www.ryqyrmedia.com/ (son's)



More information about the Novalug mailing list