stormrider, Jeffrey, Thor... and all others, You gave me quite a bit of thinking, reading and reconsidering to do. I'm going to have to redesign the whole issue from scratch - not that it's a bad thing. Better investing some more time and effort now, than sweat maybe later. Thank you so much for taking the time to answer me.
Levente 2010.12.12. 12:28 keltezéssel, stormrider írta: > You should take care of a few things when encrypting hard > drives and feeling secure with it. > > * Do's * > > A) Use a token. That means: Generate a loooong key. Encrypt that key and > put the encrypted key on a thumb-drive. Make sure you leave no trace > when doing that step. (Good way is to make that part from a live-cd). So > when you want to mount the disc, you use a password, that decrypts the > *real* key from the thumb-drive and uses that to decrypt the disc. > Make sure nobody copies your token. That gives you two access > components: *Have* the token and *Know* the password. Just like your > bank card. > > B) Mostly messed up rule: Use a strong password! You can have TPM or a > super secret USB Token or whatsoever. When they get your password > nothing's secure anymore. You may want to begin shivering at that point. > (shiver less when you had time to destroy your token before. Stop > shivering when you're 100% sure nobody made a copy of your token) > > * Reminds * > > As long as the machine is running there is almost no protection of the data! > > 1) Every vulnerability inside the OS or daemons or else could make > accessing your data possible - just as if there was no encryption. > > 2) Other attack vectors depend on *who* might want to take a closer > look. For some people it makes quite a lot fun to freeze your system RAM > and read it out later. That would indeed reveal your key. > > 3) Any unauthorized access to your box voids the system integrity so you > should think about countermeasures. Broken integrity means forget > encryption as a mighty little goblin might sit on your PCI bus reading > your RAM by DMA (also elves and fairies thinkable). > > So if you want to be sure about that you shouldn't leave your box alone > and running. If you do so, make sure the power gets switched off as soon > as someone enters the room. Also make sure that it takes a few minutes > to gain access to your memory sticks after power loss, as it takes some > time until the data is vanished from memory. > > You also shouldn't connect your box to any network - So actually the > best thing you can do is: keep your secrets in mind, not on disc. You > then only have to make sure not being water-boarded or so, as this might > also break your mind (this might also make you shout out any password > anyways - so avoid that) ;-) > > stromrider > > > Am 12.12.2010 01:43, schrieb Levente Peres: >> Hello to All, >> >> If anyone have serious hands-on experience with this, I would like to >> know some hard facts about this matter... I thought to ask you, because >> here're some of the top experts in this field, so I could find few >> better places. Hope you can nodge me in the right direction, and take >> the time to answer this. >> >> Let's suppose I have a CentOS server, with encrypted root partition, and >> I put the /boot partition on a separate USB key for good measure. >> Encryption technology is the default which "ships" with CentOS 5.5 and >> it's LVM. >> >> If someone gets hold of that machine, or rather, the drives inside the >> Smart Array, what are the chances he can "decrypt" the root partition, >> thus gaining access to the files, if he doesn't know the key? I mean I >> know that given enough time, probably it could be done with brute-force. >> But seriously, how much of a hinderance this is to anyone attempting to >> do this? Does it offer any serious protection or is it just some >> inconvenience to the person conducting the analysis of the machine? How >> realistic is it that one can accomplish the decryption inside a >> reasonable amount of time (like, say, within half a year or so)? >> >> Could some of you please give me some of your thoughts about this? And, >> maybe, what other methods of file system encryption are out there which >> are more secure? >> >> Thanks, >> >> Levente >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > --- > avast! Antivirus: Inbound message clean. > Virus Database (VPS): 101211-1, 2010.12.11 > Tested on: 2010.12.12. 12:36:20 > avast! - copyright (c) 1988-2010 AVAST Software. > http://www.avast.com > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
