Morning Jeroen, Jonas and all who took the time to answer my question, Thanks a mil for your help and will see how to implement this Mandos solution with LUKS in our context.
Best regards, Thomas NGUYEN VAN ----- Original Message ----- From: "Jeroen van Dongen" <jer...@lbvd.nl> To: "Thomas Nguyen Van" <t.nguyen...@jumper.ie>, "Jonas Andradas" <j.andra...@gmail.com> Cc: debian-security@lists.debian.org Sent: Monday, January 24, 2011 11:22:13 AM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna Subject: RE: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny RE: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny > Hello Thomas, > > as Jeroen already said, the problem with this is that if they steal only the > hard-drive, the data should be safe. Instead, if they steal the > whole > server (which is somewhat harder, but not impossible), they only need it to > boot and the BIOS would decrypt the data for the attacker. Hello Jonas, Thomas, Actually, I beg to differ. I've both heard of and experienced situations where a server room was raided by criminals in which cases almost all systems were taken - lock, stock and barrel. I've never heard of or experienced situations where only the hard disk of a server was removed/stolen (at least not in situations where the server was a production server which was correctly housed in a purpose build server room). >From that point of view, I would strongly advise against using any technique >where the credentials required for decrypting/accessing the encrypted content >are stored on the same system. I cannot fathom a serious threat model in which >case this concept offers significant levels of security. In most cases if not >all it will give a false sense of security, the worst kind of all. A setup using Mandos in combination with LUKS would be preferable - although in that case it would be advisable to have the Mandos server located in another building from the actual servers. Otherwise there is the risk of the Mandos server being stolen together with the server(s) it helps secure. Rgds, Jeroen
