Secure unattended decryption

Florian Philipp f_philipp at fastmail.net
Thu Mar 18 18:11:23 CET 2010


Am 18.03.2010 12:50, schrieb Daniel Eggleston:
[...]
> 
> The encryption key for the databases is stored on-disk, encrypted with
> PGP (Gnupg specifically). At first startup, it's no big deal to have the
> DBA enter a passphrase to start the database server. Once a failover
> occurs, though, time is of the essence. Since paging someone to come
> enter a passphrase can take 15 minutes or more after-hours, I'm trying
> to come up with a feasible way to allow the second node to access the
> encrypted databases without human intervention, with the ultimate goal
> that if somebody does somehow walk out with the storage containing the
> databases, there will be no way to gain access to the data.  I was
> thinking this could be done using gpg-agent, and entering the passphrase
> when the server starts up (and the failover can happen arbitrarily,
> months or even years after the machine boots).
> 
> The problem I've encountered is that there doesn't appear to be a way to
> cache the passphrase infinitely. (I read some documentation that said
> that passing -1 to the cache-ttl parameters would work, but it doesn't).
> I've considered setting the cache-ttl parameters to large values (i.e.
> two weeks) and requiring the DBA to re-enter the passphrase once a
> week.  This isn't ideal, but it's better than nothing.
[...]

You could create an encrypted partition/lvm volume/loopback device and
put the key on it in plaintext. On boot-up, the DBA enters the password
to unlock and mount the partition. After this, the key is protected by
filesystem permissions.

If someone walks out with the harddisk, all he has is an encrypted
partition.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20100318/beca9a9c/attachment.pgp>


More information about the Gnupg-users mailing list