| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <D19F74M6B8UC.2VEOOZHGOS87V@kernel.org> Date: Tue, 14 May 2024 17:00:23 +0300 From: "Jarkko Sakkinen" <jarkko@...nel.org> To: "Ignat Korchagin" <ignat@...udflare.com> Cc: "James Bottomley" <James.Bottomley@...senpartnership.com>, "Mimi Zohar" <zohar@...ux.ibm.com>, "David Howells" <dhowells@...hat.com>, "Paul Moore" <paul@...l-moore.com>, "James Morris" <jmorris@...ei.org>, <serge@...lyn.com>, <linux-integrity@...r.kernel.org>, <keyrings@...r.kernel.org>, <linux-kernel@...r.kernel.org>, <kernel-team@...udflare.com> Subject: Re: [RFC PATCH 0/2] TPM derived keys On Tue May 14, 2024 at 4:11 PM EEST, Ignat Korchagin wrote: > For example, a cheap NAS box with no internal storage (disks connected > externally via USB). We want: > * disks to be encrypted and decryptable only by this NAS box So how this differs from LUKS2 style, which also systemd supports where the encryption key is anchored to PCR's? If I took hard drive out of my Linux box, I could not decrypt it in another machine because of this. > * if someone steals one of the disks - we don't want them to see it > has encrypted data (no LUKS header) So what happens when you reconnect? > Additionally we may want to SSH into the NAS for configuration and we > don't want the SSH server key to change after each boot (regardless if > disks are connected or not). Right, interesting use case. Begin before any technical jargon exactly with a great example like this. Then it is easier to start to anchoring stuff and not be misleaded. BR, Jarkko
Powered by blists - more mailing lists