[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Musings about on-disk encryption in Fedora Core



>>> For a really secure system you have to boot from removable or read-only
>>> media.

>>> If an attacker can compromise the kernel image that you boot from then
>>> they can own you.  If you have an unencrypted kernel/initrd stored on the
>>> hard disk then you must either keep the hard disk locked up at all times
>>> (in which case encrypting it doesn't gain much) or treat every unexpected
>>> reboot as a potential compromise.

>> I was concentrating mainly on means to secure data (against prying eyes,
>> not corruption), securing a system is a completely different kind of
>> thing.
 
> Securing the system is exactly the same thing IMHO.
> 
> If your system is insecure then encryption won't help, the attacker will
get 
> all your passwords and happily decrypt all your data!

I would argue that it depends on what you are securing against.  For example,
securing data against physical laptop theft does not really require booting
from removable media...as long as you don't trust the laptop once it is
recovered.

However, if you are requiring a physical token to provide a key then booting
from that token is not too much of a leap.  Assuming your firmware supports
booting from, say, USB.  This seems outside the scope of mkinitrd and more a
responsibility of properly configuring yaboot, lilo, grub, etc.

In addition, when you boot from removable media, you really need to
authenticate that you are booting from the removable media.  Perhaps the boot
process could tell you a secret that only you and the removable media know. 
If the attacker has access to the firmware then the attacker may cause the
computer to spoof your normal boot process.  A firmware password may or may
not help, depending on how paranoid you are.

So we can go down any number of paranoid trails (and we should).  But that
doesn't mean we shouldn't start "picking at the low hanging fruit" to make
progress.  We just need to be straight forward about what we are protecting
against (for example, a stolen laptop vs. a stolen laptop that I can trust if
returned).

--
Mike



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]