Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: stormrider (strmrdr42yahoo.de)
Date: Sun Dec 12 2010 - 05:28:46 CST
You should take care of a few things when encrypting hard
drives and feeling secure with it.
* Do's *
A) Use a token. That means: Generate a loooong key. Encrypt that key and
put the encrypted key on a thumb-drive. Make sure you leave no trace
when doing that step. (Good way is to make that part from a live-cd). So
when you want to mount the disc, you use a password, that decrypts the
*real* key from the thumb-drive and uses that to decrypt the disc.
Make sure nobody copies your token. That gives you two access
components: *Have* the token and *Know* the password. Just like your
B) Mostly messed up rule: Use a strong password! You can have TPM or a
super secret USB Token or whatsoever. When they get your password
nothing's secure anymore. You may want to begin shivering at that point.
(shiver less when you had time to destroy your token before. Stop
shivering when you're 100% sure nobody made a copy of your token)
* Reminds *
As long as the machine is running there is almost no protection of the data!
1) Every vulnerability inside the OS or daemons or else could make
accessing your data possible - just as if there was no encryption.
2) Other attack vectors depend on *who* might want to take a closer
look. For some people it makes quite a lot fun to freeze your system RAM
and read it out later. That would indeed reveal your key.
3) Any unauthorized access to your box voids the system integrity so you
should think about countermeasures. Broken integrity means forget
encryption as a mighty little goblin might sit on your PCI bus reading
your RAM by DMA (also elves and fairies thinkable).
So if you want to be sure about that you shouldn't leave your box alone
and running. If you do so, make sure the power gets switched off as soon
as someone enters the room. Also make sure that it takes a few minutes
to gain access to your memory sticks after power loss, as it takes some
time until the data is vanished from memory.
You also shouldn't connect your box to any network - So actually the
best thing you can do is: keep your secrets in mind, not on disc. You
then only have to make sure not being water-boarded or so, as this might
also break your mind (this might also make you shout out any password
anyways - so avoid that) ;-)
Am 12.12.2010 01:43, schrieb Levente Peres:
> Hello to All,
> If anyone have serious hands-on experience with this, I would like to
> know some hard facts about this matter... I thought to ask you, because
> here're some of the top experts in this field, so I could find few
> better places. Hope you can nodge me in the right direction, and take
> the time to answer this.
> Let's suppose I have a CentOS server, with encrypted root partition, and
> I put the /boot partition on a separate USB key for good measure.
> Encryption technology is the default which "ships" with CentOS 5.5 and
> it's LVM.
> If someone gets hold of that machine, or rather, the drives inside the
> Smart Array, what are the chances he can "decrypt" the root partition,
> thus gaining access to the files, if he doesn't know the key? I mean I
> know that given enough time, probably it could be done with brute-force.
> But seriously, how much of a hinderance this is to anyone attempting to
> do this? Does it offer any serious protection or is it just some
> inconvenience to the person conducting the analysis of the machine? How
> realistic is it that one can accomplish the decryption inside a
> reasonable amount of time (like, say, within half a year or so)?
> Could some of you please give me some of your thoughts about this? And,
> maybe, what other methods of file system encryption are out there which
> are more secure?
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/