On Tue, 2004-09-07 at 15:22, Steve Watt wrote: > Having the password compiled in to something that's necessarily clear-text > on the same media?
Sorry for being late... I'm still catching up on piles of email :) Instead of having a plaintext password on the same media, how about a mechanism that reads the CPU's serial number, or some other hardware dependent number that can not be read by users on a system. If the drive gets removed from the system, the attacker would have a challenge. Of course you have to be careful before you replace failed hardware that is used to derive the key :) Don't replace the failed CPU before you decrypted... no wait... uhm... :) Okay, how about an offline copy of the number in case of hardware failure... :) Seriously though, tying the boot process to a hardware dependent value that is not accessible from within the booted system might be something to consider. Any thoughts? Regards, Frank
signature.asc
Description: This is a digitally signed message part
