[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Musings about on-disk encryption in Fedora Core



On Wed, 7 Jul 2004 00:43, "mike flyn org" <mike flyn org> wrote:
> > Securing the system is exactly the same thing IMHO.
> >
> > If your system is insecure then encryption won't help, the attacker will
> > get all your passwords and happily decrypt all your data!
>
> I would argue that it depends on what you are securing against.  For
> example, securing data against physical laptop theft does not really
> require booting from removable media...as long as you don't trust the
> laptop once it is recovered.

True.  But what about servers?  How secure is YOUR server room?  Taking disks 
out etc is not difficult to do.  Replacing the BIOS on the motherboard adds 
an extra level of difficulty and the risk is decreased if that is what an 
attacker would be forced to do.

> However, if you are requiring a physical token to provide a key then
> booting from that token is not too much of a leap.  Assuming your firmware
> supports booting from, say, USB.  This seems outside the scope of mkinitrd
> and more a responsibility of properly configuring yaboot, lilo, grub, etc.

You need the initrd to be able to mount an encrypted root fs, so there are 
some changes to initrd needed.  They are probably more significant than the 
changes to allow booting from a USB device.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]