[dm-crypt] LUKS disk encryption with remote boot authentication

Arno Wagner arno at wagner.name
Mon Oct 20 00:10:45 CEST 2014

On Sun, Oct 19, 2014 at 22:59:21 CEST, Cpp wrote:
> On 10/19/14, Arno Wagner <arno at wagner.name> wrote:
> > Actually, it has a pretty good chance of working well. Once.
> > And if it is not too obvious and nowhere documented that the
> > attacker can get at beforehand.
> So basically if a device like this is meant to be used and distributed
> widely, one security requirement would be that each and every device
> uses a custom anti-tampering circuitry setup so that no two setups are
> identical. After one device has been compromised, a new custom setup
> has to be made, possibly at a new location.

For DIY, yes. Commercial HSMs have another protection, namely
they are priced at EUR 50k+. That discourages most attackers from
buying a few to leant how to break into them.

But seriously, this is not a beginner's game. If you want to
keep out a low-resource attacker, just get a safe, drill some
holes for the cables, add an arduino or compatible with light, 
vibration and orientation sensors and make it protect the 
passphrase and pull the plug if it finds something fishy.
Attachment to computer via serial or USB as HID is fine.

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier

More information about the dm-crypt mailing list