lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 12 Dec 2010 12:28:46 +0100
From: stormrider <strmrdr42@...oo.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Just how secure encrypted linux partitions
 really	are?

You should take care of a few things when encrypting hard
drives and feeling secure with it.

* Do's *

A) Use a token. That means: Generate a loooong key. Encrypt that key and 
put the encrypted key on a thumb-drive. Make sure you leave no trace 
when doing that step. (Good way is to make that part from a live-cd). So 
when you want to mount the disc, you use a password, that decrypts the 
*real* key from the thumb-drive and uses that to decrypt the disc.
Make sure nobody copies your token. That gives you two access 
components: *Have* the token and *Know* the password. Just like your 
bank card.

B) Mostly messed up rule: Use a strong password! You can have TPM or a 
super secret USB Token or whatsoever. When they get your password 
nothing's secure anymore. You may want to begin shivering at that point. 
(shiver less when you had time to destroy your token before. Stop 
shivering when you're 100% sure nobody made a copy of your token)

* Reminds *

As long as the machine is running there is almost no protection of the data!

1) Every vulnerability inside the OS or daemons or else could make 
accessing your data possible - just as if there was no encryption.

2) Other attack vectors depend on *who* might want to take a closer 
look. For some people it makes quite a lot fun to freeze your system RAM 
and read it out later. That would indeed reveal your key.

3) Any unauthorized access to your box voids the system integrity so you 
should think about countermeasures. Broken integrity means forget 
encryption as a mighty little goblin might sit on your PCI bus reading 
your RAM by DMA (also elves and fairies thinkable).

So if you want to be sure about that you shouldn't leave your box alone 
and running. If you do so, make sure the power gets switched off as soon 
as someone enters the room. Also make sure that it takes a few minutes 
to gain access to your memory sticks after power loss, as it takes some 
time until the data is vanished from memory.

You also shouldn't connect your box to any network - So actually the 
best thing you can do is: keep your secrets in mind, not on disc. You 
then only have to make sure not being water-boarded or so, as this might 
also break your mind (this might also make you shout out any password 
anyways - so avoid that) ;-)

stromrider


Am 12.12.2010 01:43, schrieb Levente Peres:
> Hello to All,
>
> If anyone have serious hands-on experience with this, I would like to
> know some hard facts about this matter... I thought to ask you, because
> here're some of the top experts in this field, so I could find few
> better places. Hope you can nodge me in the right direction, and take
> the time to answer this.
>
> Let's suppose I have a CentOS server, with encrypted root partition, and
> I put the /boot partition on a separate USB key for good measure.
> Encryption technology is the default which "ships" with CentOS 5.5 and
> it's LVM.
>
> If someone gets hold of that machine, or rather, the drives inside the
> Smart Array, what are the chances he can "decrypt" the root partition,
> thus gaining access to the files, if he doesn't know the key? I mean I
> know that given enough time, probably it could be done with brute-force.
> But seriously, how much of a hinderance this is to anyone attempting to
> do this? Does it offer any serious protection or is it just some
> inconvenience to the person conducting the analysis of the machine? How
> realistic is it that one can accomplish the decryption inside a
> reasonable amount of time (like, say, within half a year or so)?
>
> Could some of you please give me some of your thoughts about this? And,
> maybe, what other methods of file system encryption are out there which
> are more secure?
>
> Thanks,
>
> Levente
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ