Re: Remotely decrypting a server (Linux)

[Niall <phierstarter () gmail com>]

Hi Woprbyte,

The USB key route can be rules out as i want to ensure that is the
machines are stolen the thief won't also have the key necessary to
decrypt them.
One time password's look interesting, but i can't find any encryption
software that allows your to use them for auth remotely, yet keeps
encrypted as much of the box not required to be executable for boot up
and to complete this process.

I've also looked into encrypted filesystems a bit. E.g. I found this:
http://balau82.wordpress.com/2009/08/23/secure-remote-storage-using-sshfs-and-encfs/

But it seems to be more concerned with remote encryption, not decryption.

On Tue, Sep 14, 2010 at 5:09 AM, Woprbyte <woprbyte () gmail com> wrote:
> Hi Niall,
>
> What is the physical security of the machines like?  I would recommend using something like the lamport one time 
> password scheme that keeps the decryption password changing.  That way you could make it so no server should have 
> same password at any one time. But you need a way to make sure the machines aren't being impersonated by an attacker.
> There are some ways to help ensure this but as you pointed app to app authentication really defeats the purpose.  If 
> you store the "key" on the remote machine in some form an attacker will find the key or will circumvent the 
> process... I would.
> That's why I suggest the one time key scheme that allows you keep the changing and can be used with nonces.  But I am 
> not sure if you want to go through manual customization.
>
> You could also consider something like safe net USB key.  But beware they are not 100% secure and you would want to 
> consider physical security as the devices can be circumvented via emulation.
>
> I don't know how valuable your data is but I tend to be paranoid and try to create as much trouble making for the 
> attacker while balancing access as best I can.
>
> You could use certificates on each machine.  You will have to manage them.
>
> Just some thoughts.  I have had to do something similar.
>
>
>
> On Sep 11, 2010, at 11:25 PM, Niall <phierstarter () gmail com> wrote:
>
> > Hi folks,
> >
> > I have a tricky one here where i need to find a way to securely
> > authenticate a decryption mechanism of some sort where the
> > authentication is provided remotely without any user-interaction.
> >
> > Right now i have a number of boxes that all inform a central server
> > when they are online. When they do this an OpenVPN connection is set
> > up between them and the server.
> >
> > However, i have been given the task to ensure that the scripts
> > involved in this process are encrypted by default. This requires some
> > form of self-decryption, which to my mind kind of goes against the
> > whole idea of encryption/authentication in the first place.
> >
> > I need some way to leave decrypted the bare essentials required to
> > boot a box and securely connect to the central server automatically.
> > Then the server would automatically send a key/passphrase and the rest
> > of the files on the box would then be decrypted on the fly.
> >
> > If anyone knows of any software that provides this (maybe through
> > VMs?) it would be greatly appreciated.
> >
> > I should add hat i'm also open to the idea of self-encrypting hard
> > disks, but what i've read about these in regards to Linux support has
> > put me off the whole TCG model.
> >
> > Thanks.
> >
> >
> > --
> > Niall
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------



-- 
Niall

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------