* Re: [dm-crypt] linux luks automatic boot with keyfile (INSECURE)
2012-05-25 2:29 [dm-crypt] linux luks automatic boot with keyfile (INSECURE) Nuno Reis
@ 2012-05-25 6:20 ` David Christensen
2012-05-25 8:11 ` Arno Wagner
2012-05-25 9:37 ` Hp
2 siblings, 0 replies; 4+ messages in thread
From: David Christensen @ 2012-05-25 6:20 UTC (permalink / raw)
To: dm-crypt
On 05/24/2012 07:29 PM, Nuno Reis wrote:
> I would like to ask you about the best choice to have one or two luks
> encrypted partitions to boot automatically between reboots without me to
> enter a pass-phrase.
> I've made this already, but the way i'm doing it seems to be not very
> secure since the keyfile is referenced in /etc/crypttab and the keyfile and
> /etc/crypttab both reside on an unencrypted partition. If someone clones my
> HDD and connect it to some other system will easily be able to mount the
> unencrypted partitions and find the keyfile reference on /etc/crypttab to
> get the keyfile and unencrypt the protected partitions right?
> So basically my problem is that i want to sell a linux server with some
> software i've developed to a datacenter (as an appliance), but i don't want
> them to get to my software easily and i can't have a password prompt
> between reboots also.
> Can you point me out what you think would be the best solution for me?
If you want to protect software, perhaps you should consider a software
protection dongle:
http://en.wikipedia.org/wiki/Software_protection_dongle
HTH,
David
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [dm-crypt] linux luks automatic boot with keyfile (INSECURE)
2012-05-25 2:29 [dm-crypt] linux luks automatic boot with keyfile (INSECURE) Nuno Reis
2012-05-25 6:20 ` David Christensen
@ 2012-05-25 8:11 ` Arno Wagner
2012-05-25 9:37 ` Hp
2 siblings, 0 replies; 4+ messages in thread
From: Arno Wagner @ 2012-05-25 8:11 UTC (permalink / raw)
To: dm-crypt
Hi,
encryption is not your solution here. Basically, you can do some
kind of obfuscation or DRM, but they are all relatively easy to
break. There really is no good solution for this, although
a lot of people are unable to understand that fact.
My advice is to do without protection. Software will always be
easy to copy.
Arno
On Fri, May 25, 2012 at 03:29:14AM +0100, Nuno Reis wrote:
> Good morning.
>
> I would like to ask you about the best choice to have one or two luks
> encrypted partitions to boot automatically between reboots without me to
> enter a pass-phrase.
> I've made this already, but the way i'm doing it seems to be not very
> secure since the keyfile is referenced in /etc/crypttab and the keyfile and
> /etc/crypttab both reside on an unencrypted partition. If someone clones my
> HDD and connect it to some other system will easily be able to mount the
> unencrypted partitions and find the keyfile reference on /etc/crypttab to
> get the keyfile and unencrypt the protected partitions right?
> So basically my problem is that i want to sell a linux server with some
> software i've developed to a datacenter (as an appliance), but i don't want
> them to get to my software easily and i can't have a password prompt
> between reboots also.
> Can you point me out what you think would be the best solution for me?
> Thanks.
>
> BR,
> Nuno.
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [dm-crypt] linux luks automatic boot with keyfile (INSECURE)
2012-05-25 2:29 [dm-crypt] linux luks automatic boot with keyfile (INSECURE) Nuno Reis
2012-05-25 6:20 ` David Christensen
2012-05-25 8:11 ` Arno Wagner
@ 2012-05-25 9:37 ` Hp
2 siblings, 0 replies; 4+ messages in thread
From: Hp @ 2012-05-25 9:37 UTC (permalink / raw)
To: dm-crypt
Hi,
You may want look into using TPM and trusted-grub.
This allows you to bind a key to the physical device, and then only that
device can mount/decrypt the disk. (I never done this myself no idea how
hard or easy this is, neither I know how secure this really is. And
well, as it is physically bound to a system, you have to have a real
system, no VM and transfer it to other Hardware is not easy too)
Additional, you have to be careful to secure your OS while it runs (eg,
make it impossible to gain root, secure everything from the
user....thats no easy task, maybe even impossible with current OSes)
Imho, you should try not go this road. As with a lot of systems, you
have to think about every possible way to compromise the system (you
most likely will forget one), but the attacker has only to find ONE way
to break it. Just not worth the effort.
Depending on your requirements, you may want think about hosting the
software at a trusted location, and have your users use it remotely.
Or drop the technical solution in favor of a legal solutions. publish
your source, so you have prove of ownership and release date (or use
another way to make sure your code will be recognized as yours by a
court afterwards).
Have your software "pone home" and get a laywer. Make it clear you WILL
go to court. Most companies fear lawyers much more than nerds. Breaking
technical things seems to be a "gentlemen offence", breaking legal
things is considered "expensive".
On 25.05.2012 04:29, Nuno Reis wrote:
> Good morning.
>
> I would like to ask you about the best choice to have one or two luks
> encrypted partitions to boot automatically between reboots without me to
> enter a pass-phrase.
> I've made this already, but the way i'm doing it seems to be not very
> secure since the keyfile is referenced in /etc/crypttab and the keyfile and
> /etc/crypttab both reside on an unencrypted partition. If someone clones my
> HDD and connect it to some other system will easily be able to mount the
> unencrypted partitions and find the keyfile reference on /etc/crypttab to
> get the keyfile and unencrypt the protected partitions right?
> So basically my problem is that i want to sell a linux server with some
> software i've developed to a datacenter (as an appliance), but i don't want
> them to get to my software easily and i can't have a password prompt
> between reboots also.
> Can you point me out what you think would be the best solution for me?
> Thanks.
>
> BR,
> Nuno.
>
>
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
^ permalink raw reply [flat|nested] 4+ messages in thread