[Novalug] encryption at rest on a virtual server for a virtual drive

greg pryzby greg@pryzby.org
Wed Sep 11 09:51:01 EDT 2013


On Wed, Sep 11, 2013 at 8:30 AM, Derek LaHousse <dlahouss@mtu.edu> wrote:
> Do note, some people complicate this scheme with a Trusted Platform
> Module (TPM).  Supposedly, the system enters a known state from boot by
> hashing all the code loaded, and if it's in the right state, the TPM can
> unlock the drive password.  Supposedly, if someone corrupts the boot
> process, the TPM doesn't give up the key, so the drive stays locked.
>
> However, a sophisticated attacker with bus level access between the
> processor and its TPM can still break this.


Can you site a paper on how? Intel and others say it is secure and
can't be broken in my reading so I would love to have information that
says different.



> Derek
>
> On Tue, 2013-09-10 at 21:02 -0400, Christopher Jones wrote:
>> I figured as much.... I will spare you the details but lets just say
>> security initiatives are great but using solutions that make no impact
>> on real security just brings extra risk to data loss. But it sounds
>> pretty to say we encrypt our storage so yay !  :)
>>
>>
>> To be clear I love the work i just wanted to make sure I wasn't
>> missing some secret security benefit this was buying us.
>>
>>
>>
>> On Tue, Sep 10, 2013 at 7:45 PM, Brandon Saxe <brandon20va@yahoo.com>
>> wrote:
>>         Greg is right. No human == no security. Use a passphrase that
>>         is prompted on boot. Another option is to store your key
>>         (still passphrase protected) on a flash drive or on a server
>>         (such as kerberos).
>>
>>         I'm exploring sticking my keys on my cell phone (Linux Nokia
>>         N9) and then using bluetooth to get access for certain things.
>>
>>
>>
>>         It seems to me that a phone would be a great way to store
>>         passphrase protected keys. Does anybody have thoughts or
>>         experience on this?
>>
>>         --Brandon
>>
>>         ----- Original Message -----
>>         From: greg pryzby <greg@pryzby.org>
>>         To: Christopher Jones <christopher.donald.jones@gmail.com>
>>         Cc: Novalug <Novalug@calypso.tux.org>
>>         Sent: Tuesday, September 10, 2013 7:39 PM
>>         Subject: Re: [Novalug] encryption at rest on a virtual server
>>         for a virtual    drive
>>
>>         This is the meat problem (Rob Jenson).
>>
>>         If a human is NOT required, you don't have security. No matter
>>         how
>>         many levels of encryption, scripts, obscurity, if I don't
>>         require a
>>         human to enter the key/passphrase/whatever, the solution is
>>         NOT
>>         secure. If someone gets access, the data is at risk.
>>
>>         So there is no real value of using a key read from somewhere
>>         to
>>         decrypt a drive on boot. Unless I am worried about someone
>>         REMOVING
>>         the drive w/o looking at the process used to boot/mount.
>>
>>         I don't see any value and just complexity which makes people
>>         hate security.
>>
>>
>>         On Tue, Sep 10, 2013 at 7:31 PM, Christopher Jones
>>         <christopher.donald.jones@gmail.com> wrote:
>>         > If I encrypt a volume but also create a key file to unlock
>>         it when the
>>         > system boots.
>>         >
>>         > What does this possibly do for me?
>>         >
>>         > Firstly what are the chances a virtual drive will be stolen?
>>         > Second if the user had access to that and the server (single
>>         user mode)
>>         > (which they can't get anyway without there being way bigger
>>         issues at the
>>         > network level) they would be able to eventually find the key
>>         and use it to
>>         > unlock the drive.
>>         >
>>         > What am I missing here?
>>         >
>>         > I see the benefit on a desktop or a laptop where I can
>>         require a password to
>>         > access the drive but just don't get it for this particular
>>         case.
>>         >
>>         > --
>>         > Chris Jones
>>         > RHCSA
>>         >
>>         >
>>         > _______________________________________________
>>         > Novalug mailing list
>>         > Novalug@calypso.tux.org
>>         > http://calypso.tux.org/mailman/listinfo/novalug
>>         >
>>
>>
>>
>>         --
>>         greg pryzby                              greg at pryzby dot
>>         org
>>         http://www.linkedin.com/in/gpryzby
>>
>>         TWTR: gpryzby
>>         WEB:  http://www.MakeRoomForArt.com/
>>         BLOG: http://www.ryqyrmedia.com/ (son's)
>>         _______________________________________________
>>         Novalug mailing list
>>         Novalug@calypso.tux.org
>>         http://calypso.tux.org/mailman/listinfo/novalug
>>
>>
>>
>>
>> --
>> Chris Jones
>>
>> RHCSA
>>
>>
>> _______________________________________________
>> Novalug mailing list
>> Novalug@calypso.tux.org
>> http://calypso.tux.org/mailman/listinfo/novalug
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug



-- 
greg pryzby                              greg at pryzby dot org
http://www.linkedin.com/in/gpryzby

TWTR: gpryzby
WEB:  http://www.MakeRoomForArt.com/
BLOG: http://www.ryqyrmedia.com/ (son's)



More information about the Novalug mailing list