[dm-crypt] LUKS disk encryption with remote boot authentication

Sam Rakowski devnull at iamdevnull.info
Wed Oct 15 13:37:20 CEST 2014


Sorry for the duplicate, Cpp. I meant this to go to the list. 

But physical access was always a problem (of the same magnitude), wasn't it? Consider an attacker modifying initramfs so that your password entered into cryptsetup is sent to a remote server, then used to unlock your luks device. Isn't that of equal likelihood?
Sent via BlackBerry

-----Original Message-----
From: Cpp <tzornik at gmail.com>
Sender: "dm-crypt" <dm-crypt-bounces at saout.de>Date: Wed, 15 Oct 2014 08:49:54 
To: <dm-crypt at saout.de>
Subject: Re: [dm-crypt] LUKS disk encryption with remote boot authentication

Thanks for the hints.

Yeah, the main reason I wanted to implement something like this is to
avoid having to boot up each and every device individually after a
power cut. Most of my devices use disk encryption by default, let it
be a desktop computer, a laptop or an embedded board like Raspberry
Pi, Cubieboard, Beaglebone, etc.

But after thinking about it for a while, I can't see a way how to
securely implement this. I mean even if I were to SSH to the device,
I'd still have no indication whether or not it was modified by an
intruder, so physical access is a real problem. The only way I can
think of is to equip all devices with physical protection circuitry,
and have them running 24/7 - each and every device would need an UPS
(uninterruptable power supply).

Regards!

On 10/14/14, Arno Wagner <arno at wagner.name> wrote:
> On Tue, Oct 14, 2014 at 23:16:24 CEST, Jonas Meurer wrote:
>> Hi Cpp,
>>
>> Am 14.10.2014 um 13:42 schrieb Cpp:
>> > I'm interested in a solution for devices with LUKS disk encryption
>> > that use a remote server to securely obtain a decryption key upon
>> > boot. Let me elaborate: Suppose I have an embedded device i.e.
>> > Raspberry Pi with an external USB HDD or maybe a Cubieboard with a
>> > SATA-attached disk. The rootfs is located on an encrypted partition on
>> > the disk that has to be decrypted before the OS can boot. The boot
>> > partition is located on an unencrypted NAND/SD partition.
>> >
>> > Normally a modern linux distro will ask the user to type in the
>> > password via a keyboard upon boot, if disk encryption is being used. I
>> > am however interested in setups where this decryption key is obtained
>> > securely (TLS?) from a remote (secure) server via LAN.
>> >
>> > Are there any known setups like this that I can take a look at?
>>
>> Debian and Ubuntu cryptsetup packages (at least, I don't know about
>> other distributions) support remote unlocking in initramfs. It works the
>> following way: the dropbear ssh server ist started in initramfs, you ssh
>> into the initramfs and unlock the root partition, afterwards the boot
>> process is continued. See section 8. of README.Debian in the
>> distribution packages[1] for further information.
>
> Nice! For remotely-triggered unlocking, that is a good solution.
>
> Arno
>
>
>> Cheers,
>>  jonas
>>
>> [1] or: here
>> http://sources.debian.net/src/cryptsetup/2:1.6.6-2/debian/README.Debian/#L202
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it.  The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
_______________________________________________
dm-crypt mailing list
dm-crypt at saout.de
http://www.saout.de/mailman/listinfo/dm-crypt


More information about the dm-crypt mailing list