From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2OB565pH5_j for ; Fri, 25 May 2012 10:11:51 +0200 (CEST) Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 25 May 2012 10:11:50 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-162-209.dclient.hispeed.ch [84.74.162.209]) by v4.tansi.org (Postfix) with ESMTPA id 657C91404001 for ; Fri, 25 May 2012 10:11:50 +0200 (CEST) Date: Fri, 25 May 2012 10:11:49 +0200 From: Arno Wagner Message-ID: <20120525081149.GA18204@tansi.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] linux luks automatic boot with keyfile (INSECURE) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Hi, encryption is not your solution here. Basically, you can do some kind of obfuscation or DRM, but they are all relatively easy to break. There really is no good solution for this, although a lot of people are unable to understand that fact. My advice is to do without protection. Software will always be easy to copy. Arno On Fri, May 25, 2012 at 03:29:14AM +0100, Nuno Reis wrote: > Good morning. > > I would like to ask you about the best choice to have one or two luks > encrypted partitions to boot automatically between reboots without me to > enter a pass-phrase. > I've made this already, but the way i'm doing it seems to be not very > secure since the keyfile is referenced in /etc/crypttab and the keyfile and > /etc/crypttab both reside on an unencrypted partition. If someone clones my > HDD and connect it to some other system will easily be able to mount the > unencrypted partitions and find the keyfile reference on /etc/crypttab to > get the keyfile and unencrypt the protected partitions right? > So basically my problem is that i want to sell a linux server with some > software i've developed to a datacenter (as an appliance), but i don't want > them to get to my software easily and i can't have a password prompt > between reboots also. > Can you point me out what you think would be the best solution for me? > Thanks. > > BR, > Nuno. > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell