[Novalug] encryption at rest on a virtual server for a virtual drive
greg pryzby
greg@pryzby.org
Wed Sep 11 09:51:01 EDT 2013
On Wed, Sep 11, 2013 at 8:30 AM, Derek LaHousse <dlahouss@mtu.edu> wrote:
> Do note, some people complicate this scheme with a Trusted Platform
> Module (TPM). Supposedly, the system enters a known state from boot by
> hashing all the code loaded, and if it's in the right state, the TPM can
> unlock the drive password. Supposedly, if someone corrupts the boot
> process, the TPM doesn't give up the key, so the drive stays locked.
>
> However, a sophisticated attacker with bus level access between the
> processor and its TPM can still break this.
Can you site a paper on how? Intel and others say it is secure and
can't be broken in my reading so I would love to have information that
says different.
> Derek
>
> On Tue, 2013-09-10 at 21:02 -0400, Christopher Jones wrote:
>> I figured as much.... I will spare you the details but lets just say
>> security initiatives are great but using solutions that make no impact
>> on real security just brings extra risk to data loss. But it sounds
>> pretty to say we encrypt our storage so yay ! :)
>>
>>
>> To be clear I love the work i just wanted to make sure I wasn't
>> missing some secret security benefit this was buying us.
>>
>>
>>
>> On Tue, Sep 10, 2013 at 7:45 PM, Brandon Saxe <brandon20va@yahoo.com>
>> wrote:
>> Greg is right. No human == no security. Use a passphrase that
>> is prompted on boot. Another option is to store your key
>> (still passphrase protected) on a flash drive or on a server
>> (such as kerberos).
>>
>> I'm exploring sticking my keys on my cell phone (Linux Nokia
>> N9) and then using bluetooth to get access for certain things.
>>
>>
>>
>> It seems to me that a phone would be a great way to store
>> passphrase protected keys. Does anybody have thoughts or
>> experience on this?
>>
>> --Brandon
>>
>> ----- Original Message -----
>> From: greg pryzby <greg@pryzby.org>
>> To: Christopher Jones <christopher.donald.jones@gmail.com>
>> Cc: Novalug <Novalug@calypso.tux.org>
>> Sent: Tuesday, September 10, 2013 7:39 PM
>> Subject: Re: [Novalug] encryption at rest on a virtual server
>> for a virtual drive
>>
>> This is the meat problem (Rob Jenson).
>>
>> If a human is NOT required, you don't have security. No matter
>> how
>> many levels of encryption, scripts, obscurity, if I don't
>> require a
>> human to enter the key/passphrase/whatever, the solution is
>> NOT
>> secure. If someone gets access, the data is at risk.
>>
>> So there is no real value of using a key read from somewhere
>> to
>> decrypt a drive on boot. Unless I am worried about someone
>> REMOVING
>> the drive w/o looking at the process used to boot/mount.
>>
>> I don't see any value and just complexity which makes people
>> hate security.
>>
>>
>> On Tue, Sep 10, 2013 at 7:31 PM, Christopher Jones
>> <christopher.donald.jones@gmail.com> wrote:
>> > If I encrypt a volume but also create a key file to unlock
>> it when the
>> > system boots.
>> >
>> > What does this possibly do for me?
>> >
>> > Firstly what are the chances a virtual drive will be stolen?
>> > Second if the user had access to that and the server (single
>> user mode)
>> > (which they can't get anyway without there being way bigger
>> issues at the
>> > network level) they would be able to eventually find the key
>> and use it to
>> > unlock the drive.
>> >
>> > What am I missing here?
>> >
>> > I see the benefit on a desktop or a laptop where I can
>> require a password to
>> > access the drive but just don't get it for this particular
>> case.
>> >
>> > --
>> > Chris Jones
>> > RHCSA
>> >
>> >
>> > _______________________________________________
>> > Novalug mailing list
>> > Novalug@calypso.tux.org
>> > http://calypso.tux.org/mailman/listinfo/novalug
>> >
>>
>>
>>
>> --
>> greg pryzby greg at pryzby dot
>> org
>> http://www.linkedin.com/in/gpryzby
>>
>> TWTR: gpryzby
>> WEB: http://www.MakeRoomForArt.com/
>> BLOG: http://www.ryqyrmedia.com/ (son's)
>> _______________________________________________
>> Novalug mailing list
>> Novalug@calypso.tux.org
>> http://calypso.tux.org/mailman/listinfo/novalug
>>
>>
>>
>>
>> --
>> Chris Jones
>>
>> RHCSA
>>
>>
>> _______________________________________________
>> Novalug mailing list
>> Novalug@calypso.tux.org
>> http://calypso.tux.org/mailman/listinfo/novalug
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
--
greg pryzby greg at pryzby dot org
http://www.linkedin.com/in/gpryzby
TWTR: gpryzby
WEB: http://www.MakeRoomForArt.com/
BLOG: http://www.ryqyrmedia.com/ (son's)
More information about the Novalug
mailing list