Secure unattended decryption

[Daniel Eggleston]

Yea, I don't need to have it entered automatically at boot time (if that's
possible, I've just thrown all semblance of true security out the window).
All I was looking for is a way to have gpg cache the passphrase for an
indefinite amount of time; and a human can enter the passphrase at boot.

It sounds like gpg is probably not more qualified than any other encryption
tool for this job, because the solutions thrown out here are quite feasible
without gpg.

On Thu, Mar 18, 2010 at 7:04 PM, Philipp Gühring <pg at futureware.at> wrote:

> Hi Daniel,
>
> > I'm trying
> > to come up with a feasible way to allow the second node to access the
> > encrypted databases without human intervention, with the ultimate goal
> > that if somebody does somehow walk out with the storage containing the
> > databases, there will be no way to gain access to the data.
>
> Yes, exactly. So you have to bind the encryption key geographically to
> your server-room.
>
> There are several possible ways to do this:
>
> You can use a USB Crypto-Token on a 3 meter USB cable, where the Crypto
> Token is behind a wall in a second room (that is secured differently
> from the server room), the cable goes through a small hole in the wall,
> but does not allow to pull the token through the wall, and the other end
> of the cable is plugged into the server in the serverroom. If an
> attacker wants to take the server+storage from the server room, he has
> to unplug the USB token, and can't take it with him, since it's not in
> the same room.
>
> Another mechanism is Routing Security:
> You setup full-disk encryption the primary server. In the bootloader /
> initial ramdisk, you setup a SSH server on a special port. You make sure
> that it isn't easily visible for a user on the screen when booting.
> You then take a client, which could be on a second server somewhere else
> in the building, or somewhere on the internet, and you make sure that
> you have a somewhat physically secured routing infrastructure. The
> client automatically regularly tries to contact the SSH server on the
> fixed IP address that is routed to your datacenter/server. If it
> succeeds to connect to the boot-SSH server, it automatically remotely
> enters the private key / passphrase to decrypt the harddisk.
> This way, if an attacker walks out with your server, he would also have
> to walk out with the routed IP space, so that he can boot it up again.
> It only boots automatically if it is in the right place.
>
> You can get some inspiration here, but I would not suggest to use it as is:
> http://www.debian-administration.org/articles/579
>
>
> Best regards,
> Philipp
>
>


-- 

          Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20100318/9966ad00/attachment.htm>