From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dpchrist@holgerdanske.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id BNmRR-kxlfC2 for <dm-crypt@saout.de>;
 Fri, 25 May 2012 08:26:43 +0200 (CEST)
Received: from holgerdanske.com (holgerdanske.com
 [IPv6:2001:470:0:19b::b869:801b])
 by mail.saout.de (Postfix) with SMTP
 for <dm-crypt@saout.de>; Fri, 25 May 2012 08:26:43 +0200 (CEST)
Received: from ::ffff:69.12.202.165 ([69.12.202.165]) by holgerdanske.com for
 <dm-crypt@saout.de>; Thu, 24 May 2012 23:20:18 -0700
Message-ID: <4FBF24A2.9060907@holgerdanske.com>
Date: Thu, 24 May 2012 23:20:18 -0700
From: David Christensen <dpchrist@holgerdanske.com>
MIME-Version: 1.0
References: <CAE2+g+LPHRmsLcsaodbfFHAYs8U0WjU_354FRHqw2WYOa4t_jw@mail.gmail.com>
In-Reply-To: <CAE2+g+LPHRmsLcsaodbfFHAYs8U0WjU_354FRHqw2WYOa4t_jw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] linux luks automatic boot with keyfile (INSECURE)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 05/24/2012 07:29 PM, Nuno Reis wrote:
> I would like to ask you about the best choice to have one or two luks
> encrypted partitions to boot automatically between reboots without me to
> enter a pass-phrase.
> I've made this already, but the way i'm doing it seems to be not very
> secure since the keyfile is referenced in /etc/crypttab and the keyfile and
> /etc/crypttab both reside on an unencrypted partition. If someone clones my
> HDD and connect it to some other system will easily be able to mount the
> unencrypted partitions and find the keyfile reference on /etc/crypttab to
> get the keyfile and unencrypt the protected partitions right?
> So basically my problem is that i want to sell a linux server with some
> software i've developed to a datacenter (as an appliance), but i don't want
> them to get to my software easily and i can't have a password prompt
> between reboots also.
> Can you point me out what you think would be the best solution for me?

If you want to protect software, perhaps you should consider a software 
protection dongle:

     http://en.wikipedia.org/wiki/Software_protection_dongle


HTH,

David