From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v6.tansi.org (ns.km31936-01.keymachine.de [87.118.116.4]) by mail.server123.net (Postfix) with ESMTP for ; Mon, 22 Sep 2014 22:59:20 +0200 (CEST) Received: from gatewagner.dyndns.org (77-57-44-24.dclient.hispeed.ch [77.57.44.24]) by v6.tansi.org (Postfix) with ESMTPA id 3FFA020DC1E9 for ; Mon, 22 Sep 2014 22:59:20 +0200 (CEST) Date: Mon, 22 Sep 2014 22:59:19 +0200 From: Arno Wagner Message-ID: <20140922205919.GA23965@tansi.org> References: <4ec71eb85448b64e81fad49d5e30a986@airmail.cc> <541FB693.5090006@web.de> <20140922100219.GC15345@tansi.org> <4acbfe386627ed562f147864ad3f5b61.squirrel@ssl.verfeiert.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4acbfe386627ed562f147864ad3f5b61.squirrel@ssl.verfeiert.org> Subject: Re: [dm-crypt] Kernel panic, cannot mount root fs on unknown block (hd0, 0) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Mon, Sep 22, 2014 at 21:07:58 CEST, Sven Eschenberg wrote: > On Mon, September 22, 2014 12:02, Arno Wagner wrote: [...] > I think in his case is is plain dmcrypt which does not invalidate your > point of course. Possibly. As it does nit make much difference, I did nt make sure I\ got that right. > > > > As I do not like initrds on my systems (too much hassle changing > > anything), I use a different approach: Non-encrypted root and > > anything I consider security-critical on encrypted partition(s). > > Which is not hassle free either, esp. on headless systems. On one hand > local mounts and fscking is done early, so cryptsetup should be even > before that point, then again it can be difficult to provide the key > remotely that early during boot. (I know KVMoIP is your friend here ;-) ). Tell me about it. I have a headless firewall/fileserver in my kitchen, and I got really fed up withhaving to carry it to my desk whenever something stuck during boot. I finally installed a serial interface to be able to debug it with a laptop and minicom. I have given up on encryption during boot for it, it just has an encrypted data partition that I mount manually over ssh. > > A common criticism of that set-up is that it allows an attacker > > to change things on the root partition, but the same applies to > > the initrd (and the kernel!) as well and hence the initrd approach > > does not really offer better security. If you want to prevent that, > > you have to use some variant of secure boot, for example placing > > bootloader, kernel and initrd on an encrypted memory-stick with > > keypad or the like. And you better verify the BIOS checksum as > > well, although that may not be enough if somebody put a blue-pill > > in there. Fortunately such attacks are expensive and come with a > > high risk of detection, so unless you are a known terrorist or > > crimnal master-mind, don't worry about these. > > I agree, but pulling parts of /etc or /var onto crypto targets, while > leaving parts unencrypted is quite ugly. So many people would just encrypt > / alltogether to save them from that hassle. I have only data encrypted. Nothing in /etc/ or /var/ needs extra protection IMO. The only thing besides data that I see as worthwhile protecting are ssh private keys. Your needs may differ and I do understand the argument. It is just important to remember that an initrd is just as juicy a target for an attacker as a root partition and if you do it manually, the initrd is more complicated. Of course I also have non-module kernels tailored for my systems, so that removes another reason for an initrd. Gr"usse, Arno > > Second thing is that a running system is far easier to attack and > > as soon as it is opened, disk-encryption does not offer any > > protection anymore.... > > > > Indeed > > > > > Arno > > > > > > Regards > > -Sven > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier