Secure unattended decryption

Daniel Eggleston eggled at gmail.com
Thu Mar 18 16:59:17 CET 2010


On Thu, Mar 18, 2010 at 10:37 AM, Grant Olson <kgo at grant-olson.net> wrote:

> On 3/18/2010 7:50 AM, Daniel Eggleston wrote:
> > ..., with the ultimate goal
> > that if somebody does somehow walk out with the storage containing the
> > databases, there will be no way to gain access to the data.
>
> Physically walk out?  You could use some full disk encryption instead.
> And a lock on the server room door helps.  ;-) Hypothetically?  Like
> someone hacking ssh or nfs or something?  Like you said, it's a bit of a
> contradiction.  Now someone can just hack the nodes.  (Or even the
> clients that are accessing the nodes.  But they could probably do that
> now.)
>
> How specifically do you imagine someone stealing the data?
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>

Well, the data theft truly is hypothetical - you see, the data will be
stored on a SAN, so physical theft is an extremely minor probability (but
still one that must be considered).  Physical security will differ from
client to client, since it will be implemented without my supervision.
Full-disk encryption still requires that the DBA enter a passphrase at the
time of mounting the disks and doesn't solve anything (and is less
cross-platform, there may be many different flavors of Unix including HP-UX,
AIX, and Linux); and encryption of just the databases allows the database
application to optimize block-sizes (which differs from file to file based
on the data types being stored).

Hacking the nodes will be a risk regardless - anybody gaining root is game
over, anyway. Once the database is mounted and accessed, PGP will no longer
be required; what I am trying to accomplish is entering the PGP an
arbitrarily long time before actually using it (i.e. infinite).

In reality, this is a business requirement more than a philosophical one.
The concern is :

a) an unprivileged user with server access should not be able to access the
actual database files (OS permissions) but, assuming they managed to gain
access, the data should be useless.

b) a hardware admin, if they manage to bypass physical security and walk out
with the SAN, the data contained should be useless.

Of course, somebody knows the passphrase, and there is an element of trust,
but that's not really what's on trial here - as I said, it's a business
requirement that stems from responsibility to clients.

Thanks for the interest; I'm hoping somebody has done something similar to
this in the past with regards to the unattended failover.
-- 

          Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20100318/3ceab97a/attachment.htm>


More information about the Gnupg-users mailing list