--On Thursday, June 05, 2003 11:14:36 AM +0200 Marcel Weber <[EMAIL PROTECTED]> wrote:
Luis Gomez - InfoEmergencias wrote:We're already looking at that (btw, IIRC loop-aes is included into the cryptoapi of kerneli.org). The problem is what Dariush points: if your machine has the pass to mount the filesystem, someone can put the HD in another machine, remove the root password, put the HD back in my original server, boot it, login as root and access whatever content we have there. Or just find the script that mounts the ciphered filesystem, look at its password and mount the ciphered fs himself :-(
What about taking some computer / server specific things to generate the password? Say, the mac address of the NIC, the CPUs ID, some other stuff from the bios? Take all this things, make a md5 hash and use it as password. Of course, it would not be very secure, as anyone that has access to the computer could figure out how this password is put together. It would rather be security by obscurity...
The built in certificates of a TWCP (or whatever it is called, you know the hardware side of these palladium stuff) would come handy for such a purpose...
Making the encryption key hardware dependent would make it a hard job to decrypt the harddrive in another computer...
On the other hand - what will you do if your server gets a hardware problem and you have to replace/expand the system with a new NIC, add another CPU, exchange anything in the box.
So after a simple hardware problem all your own data is lost as well, even if the harddrive is not having any problems.
Just my 2 cents. :-)
Harry
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
