Security Basics mailing list archives
Re: Remotely decrypting a server (Linux)
From: Niall <phierstarter () gmail com>
Date: Tue, 14 Sep 2010 09:20:37 +0100
Hi Woprbyte, The USB key route can be rules out as i want to ensure that is the machines are stolen the thief won't also have the key necessary to decrypt them. One time password's look interesting, but i can't find any encryption software that allows your to use them for auth remotely, yet keeps encrypted as much of the box not required to be executable for boot up and to complete this process. I've also looked into encrypted filesystems a bit. E.g. I found this: http://balau82.wordpress.com/2009/08/23/secure-remote-storage-using-sshfs-and-encfs/ But it seems to be more concerned with remote encryption, not decryption. On Tue, Sep 14, 2010 at 5:09 AM, Woprbyte <woprbyte () gmail com> wrote:
Hi Niall, What is the physical security of the machines like? I would recommend using something like the lamport one time password scheme that keeps the decryption password changing. That way you could make it so no server should have same password at any one time. But you need a way to make sure the machines aren't being impersonated by an attacker. There are some ways to help ensure this but as you pointed app to app authentication really defeats the purpose. If you store the "key" on the remote machine in some form an attacker will find the key or will circumvent the process... I would. That's why I suggest the one time key scheme that allows you keep the changing and can be used with nonces. But I am not sure if you want to go through manual customization. You could also consider something like safe net USB key. But beware they are not 100% secure and you would want to consider physical security as the devices can be circumvented via emulation. I don't know how valuable your data is but I tend to be paranoid and try to create as much trouble making for the attacker while balancing access as best I can. You could use certificates on each machine. You will have to manage them. Just some thoughts. I have had to do something similar. On Sep 11, 2010, at 11:25 PM, Niall <phierstarter () gmail com> wrote:Hi folks, I have a tricky one here where i need to find a way to securely authenticate a decryption mechanism of some sort where the authentication is provided remotely without any user-interaction. Right now i have a number of boxes that all inform a central server when they are online. When they do this an OpenVPN connection is set up between them and the server. However, i have been given the task to ensure that the scripts involved in this process are encrypted by default. This requires some form of self-decryption, which to my mind kind of goes against the whole idea of encryption/authentication in the first place. I need some way to leave decrypted the bare essentials required to boot a box and securely connect to the central server automatically. Then the server would automatically send a key/passphrase and the rest of the files on the box would then be decrypted on the fly. If anyone knows of any software that provides this (maybe through VMs?) it would be greatly appreciated. I should add hat i'm also open to the idea of self-encrypting hard disks, but what i've read about these in regards to Linux support has put me off the whole TCG model. Thanks. -- Niall ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
-- Niall ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Remotely decrypting a server (Linux) Niall (Sep 13)
- Message not available
- Re: Remotely decrypting a server (Linux) Niall (Sep 14)
- Message not available
- Re: Remotely decrypting a server (Linux) J.Hart, Elec.Eng.Tech. (Sep 14)
- <Possible follow-ups>
- Remotely decrypting a server (Linux) Niall (Sep 14)